New Mac Malware Uses Steganography to Sneak Into Computers

New Mac Malware Uses Steganography to Sneak Into Computers

Most malware that pops up online targets Windows, but Apple’s platform is not immune. There’s a particularly sneaky new piece of malicious code floating around the web that hides in plain sight to attack macOS. The so-called VeryMal payload makes its way into computers by way of ad image files impregnated with a steganography-based payload.

For the unaware, steganography is the process of integrating text or data into an image file. Running the operation in reverse, it’s possible to extract that data from the image. That data could be anything — there’s nothing inherently harmful about steganographic images or image files in general. When you add malicious code and tools to extract and execute it, that’s when things get problematic.

VeryMal popped up between January 11th and 13th in advertising networks used by some of the top web publishers. The payload is malicious JavaScript code, but it evades filters by hiding inside an image. The image in question is a small white bar (sscc.jpg) that looks completely innocuous to the naked eye. When the ad loads, a small piece of seemingly harmless JavaScript comes along with it. That module reads through the image’s pixels (via an HTML5 canvas) to recreate the hidden malicious code and execute it.

The malicious code is hiding inside this simple white bar.
The malicious code is hiding inside this simple white bar.

This is Mac-specific malware, so the initial JavaScript code checks to see if Apple font families are on the machine. If not, it assumes the ad is being shown on a PC and doesn’t proceed further. If it does see Apple fonts, the extraction process continues. The result of executing code is a fairly typical redirect attack that tries to trick the user into downloading a fake Adobe Flash update. While Flash updates might not be the best trojan horse anymore, Mac users will be less familiar with this type of attack. Security firm Confiant estimates the cost impact for the January attack has been over $1.2 million.

If the user installs the malware package, they end up with a malvertising bot that runs in the background. It clicks on ads to generate revenue for those behind the scam. As with most malware, the best defense against VeryMal is a little common sense. You might also want to use an ad blocker, something Google might make much harder in the future.

Continue reading

Intel Launches AMD Radeon-Powered CPUs
Intel Launches AMD Radeon-Powered CPUs

Intel's new Radeon+Kaby Lake hybrid CPUs are headed for store shelves. Here's how the SKUs break down and what you need to know.

NASA’s OSIRIS-REx Asteroid Sample Is Leaking into Space
NASA’s OSIRIS-REx Asteroid Sample Is Leaking into Space

NASA reports the probe grabbed so much regolith from the asteroid that it's leaking out of the collector. The team is now working to determine how best to keep the precious cargo from escaping.

Chromebooks Gain Market Share as Education Goes Online
Chromebooks Gain Market Share as Education Goes Online

Chromebook sales have exploded in the pandemic, with sales up 90 percent and future growth expected. This poses some challenges to companies like Microsoft.

Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference
Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference

Intel's Raja Koduri will speak at a Samsung foundry event this week — and that's not something that would happen if Intel didn't have something to say.