- May 4, 2019
- 801
In-memory infection makes it harder for end-point protection to detect it.
Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.
In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.
In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasing common since then.
The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light earlier this week, only two out of 57 antivirus products detected it as suspicious. On Friday, according to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.
Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:
Newly discovered Mac malware uses “fileless” technique to remain stealthy
In-memory infection makes it harder for end-point protection to detect it.
arstechnica.com