“Apple Macs are rarely the target of digital espionage. But in recent years, a mysterious hacker crew called WindShift has targeted specific individuals working in government departments and critical infrastructure across the Middle East,” Thomas Fox-Brewster reports for Forbes. “And they’re exploiting weaknesses believed to affect all Apple Mac models.”
“That’s according to United Arab Emirates-based researcher Taha Karim, who said the targets were located in the so-called Gulf Cooperation Council (GCC) region. That encompasses Saudi Arabia, Kuwait, the UAE, Qatar, Bahrain and Oman,” Fox-Brewster reports. “The targets were sent spear phishing emails containing a link to a site run by the hackers. Once the target clicked on the link, an attack would launch, the eventual aim of which was to download malware dubbed WindTale and WindTape.”
“Karim, a researcher at cybersecurity company DarkMatter, said the attackers had found a way to ‘bypass all native macOS security measures” Fox-Brewster reports. “He’s presenting his full findings on Thursday at the Hack In The Box conference in Singapore.”
“DarkMatter said the hackers’ web page would attempt to install a .zip file containing the malware. Once the download was completed, the malware would attempt to launch via what’s known as a ‘custom URL-scheme.’ That’s not as complex as it sounds. Developers can create their own URL scheme so that specific parts of their app will open when a link is opened,” Fox-Brewster reports. “Here’s what happens in the case of the WindShift team’s malware: First, a user visits a website that tries to install a .zip file. Inside is the malware. The Apple Safari browser will automatically unzip the file and macOS will automatically register the malware’s chosen URL scheme. The same website from which the malware was downloaded will then make a request, via the now-registered custom URL scheme, to launch the malicious software. The attackers are relying on victims to keep the site live once they’ve installed the .zip file, long enough for the malware to work.”
Read more in the full article here.
MacDailyNews Take: As Fox-Brewster explains, Apple’s latest versions of Safari will show a prompt asking the user to confirm they want to run those custom URL schemes. And if the user clicks allow, there will be another request from Apple’s Gatekeeper security feature, which will again ask the user if they really want to install the files. So, you’d have to be pretty determined to infect your Mac with malware.