Security researchers at Mosyle have uncovered a new family of Mac malware loaders written in unusual programming languages like Nim, Crystal, and Rust to evade traditional antivirus software. These loaders act as an initial point of entry for more harmful malware.
Key Findings:
- Malware loaders written in Nim, Crystal, and Rust.
- These languages are not commonly used for malware development, suggesting an attempt to bypass antivirus detection.
- The malware uses several evasion tactics, including persistence through macOS's launchctl, multi-hour sleep intervals, and directory checks before data transmission.
- The campaign appears to be in early stages, possibly focused on reconnaissance.
- Telemetry data suggests origins in Bulgaria and the United States.
- The malware samples initially went undetected by VirusTotal.
Malware Samples and C2 Domains:
- Nim Sample:
C2 Domain: strawberriesandmangos[.]com
Hash: f1c312c20dbef6f82dc5d3611cdcd80a2741819871f10f3109dea65dbaf20b07 - Crystal Sample:
C2 Domain: motocyclesincyprus[.]com
Hash: 2c7adb7bb10898badf6b08938a3920fa4d301f8a150aa1122ea5d7394e0cd702 - Rust Sample:
C2 Domain: airconditionersontop[.]com
Hash: 24852ddee0e9d0288ca848dab379f5d6d051cb5f0b26d73545011a8d4cff4066
While the use of uncommon programming languages is a stealthy approach, it may not become widespread due to the complexity involved. For more on cybersecurity threats, see UK Online Habits 2024: Increased Usage and Growing Safety Concerns. Mosyle continues to monitor these threats. For related information, check out FTC Closes Telemarketing Loophole to Combat Tech Support Scams and FTC Investigates Microsoft's Bundling Practices.