New Mac Malware Uses Steganography to Sneak Into Computers

New Mac Malware Uses Steganography to Sneak Into Computers

Most malware that pops up online targets Windows, but Apple’s platform is not immune. There’s a particularly sneaky new piece of malicious code floating around the web that hides in plain sight to attack macOS. The so-called VeryMal payload makes its way into computers by way of ad image files impregnated with a steganography-based payload.

For the unaware, steganography is the process of integrating text or data into an image file. Running the operation in reverse, it’s possible to extract that data from the image. That data could be anything — there’s nothing inherently harmful about steganographic images or image files in general. When you add malicious code and tools to extract and execute it, that’s when things get problematic.

VeryMal popped up between January 11th and 13th in advertising networks used by some of the top web publishers. The payload is malicious JavaScript code, but it evades filters by hiding inside an image. The image in question is a small white bar (sscc.jpg) that looks completely innocuous to the naked eye. When the ad loads, a small piece of seemingly harmless JavaScript comes along with it. That module reads through the image’s pixels (via an HTML5 canvas) to recreate the hidden malicious code and execute it.

The malicious code is hiding inside this simple white bar.
The malicious code is hiding inside this simple white bar.

This is Mac-specific malware, so the initial JavaScript code checks to see if Apple font families are on the machine. If not, it assumes the ad is being shown on a PC and doesn’t proceed further. If it does see Apple fonts, the extraction process continues. The result of executing code is a fairly typical redirect attack that tries to trick the user into downloading a fake Adobe Flash update. While Flash updates might not be the best trojan horse anymore, Mac users will be less familiar with this type of attack. Security firm Confiant estimates the cost impact for the January attack has been over $1.2 million.

If the user installs the malware package, they end up with a malvertising bot that runs in the background. It clicks on ads to generate revenue for those behind the scam. As with most malware, the best defense against VeryMal is a little common sense. You might also want to use an ad blocker, something Google might make much harder in the future.

Continue reading

Intel Launches AMD Radeon-Powered CPUs
Intel Launches AMD Radeon-Powered CPUs

Intel's new Radeon+Kaby Lake hybrid CPUs are headed for store shelves. Here's how the SKUs break down and what you need to know.

Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption

The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.

AMD May Allow Custom RX 6900 XT Cards, Launch Stock May Be Limited
AMD May Allow Custom RX 6900 XT Cards, Launch Stock May Be Limited

There are rumors that Nvidia may not be the only company facing production shortages this holiday season. High-end GPUs might just be very hard to find in general.

Intel Launches New Xe Max Mobile GPUs for Entry-Level Content Creators
Intel Launches New Xe Max Mobile GPUs for Entry-Level Content Creators

Intel has launched a new consumer, mobile GPU — but it's got a very specific use-case, at least for now.