Expert Insight On New macOS Malware Spreading Through Google Search Results

By   ISBuzz Team
Writer , Information Security Buzz | Jun 23, 2020 02:56 am PST

It has been reported that cyber security company Intego has discovered new malware that disguises itself as a Flash Player. What is most concerning is that it is being distributed via webpages that appear in Google’s search results. Intego has discovered a new Trojan that is specifically designed to circumvent macOS Catalina’s security measures. A Trojan is a type of malware that pretends to be legitimate software, in this case a Flash Player, and is then installed by the user on their own. This particular Trojan is able to bypass these security restrictions because it launches an installation guide that guides the user through the steps necessary to install it. This newly discovered Trojan is particularly dangerous because it can be found via Google’s search results pages. If, for example, a web users searches for a title of a YouTube video on Google the results that appear can lead the user to a message suggesting that they have an outdated Flash Player and indicating that they can download the current version via a download button. The Trojan is hidden in this file.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
June 23, 2020 10:59 am

The attack outlined here is essentially a “drive-by” where the attacker is attempting to pollute legitimate documents, in this case search results for popular topics, with their malware. Another example of this type of attack is the serving of adverts with embedded malware. In both situations, the attacker hopes their victim will follow their prompts and install the malicious software. Once the malicious software is installed, it can typically perform whatever tasks the user who installed it is permitted to do. Preventing this type of attack requires skepticism and an understanding of what is and isn’t installed or enabled on your computer. For example, if you have the Adobe Flash player already installed and a web site prompts to update it, then before trusting the web site’s claims, it’s best to validate if you have the current version from the author – in this case Adobe. If Adobe says Flash is outdated, then trusting Adobe’s opinion is likely legitimate. If the original website still claims Flash is out of date, but Adobe says otherwise, trust Adobe and question the original website’s security.\”

Adam Palmer, Chief Cybersecurity Strategist at Tenable, added \”Adobe Flash is a notoriously vulnerable piece of software, with numerous weaponised exploit kits developed for it, and commonly viewed as a high security and stability risk. While the malware discovered by Intego disguises itself as Flash Player, organisations should be taking steps to identify and block attempts by corporate users trying to install Flash – legitimate or otherwise. If there is a business case for a user to download Flash, this should be done with the knowledge of the IT team who can scan the files to ensure it’s the “real deal” and not a malicious imitation.

Looking at the bigger picture, the challenge for organisations is figuring out how to have full visibility across a constantly expanding attack surface. Web based vulnerabilities are still the most frequent source of data breaches. Although an old method, attackers still use web based applications to spread malware and find new victims because these applications are very successful attacks. A 2019 study found an average of 33 vulnerabilities on every web application. With over 500 recent data breaches associated with web applications, these risks remain the favourite vulnerability for attackers.

In this COVID-19 time,with employees working remotely, there is no defined corporate network perimeter. There is a high degree of risk that malicious applications could infect personal devices and introduce risks when these devices are connected to the company network. This puts the entire business at risk. Security teams need to be prepared for this and follow strong vulnerability management practices to find and remediate these critical risks. This should include performing automatic assessments of all devices to identify and reduce risks – particularly those from malicious or dangerous applications. Following these practices will greatly reduce risk exposure.

Last edited 3 years ago by Tim Mackey

Recent Posts

Would love your thoughts, please comment.x