Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

State-sponsored Mac malware easily repurposed by ex-NSA hacker

A former hacker for the National Security Agency has demonstrated an effective approach for malware creators to attack macOS, by repurposing code developed by state-sponsored hackers.

As with other software development projects, creating malware typically requires a lot of effort to create software that takes advantage of exploits, so shortcuts to a completed piece of software is always sought after by those producing them. As explained by Jamf security researcher Patrick Wardle in a talk at the RSA Security conference, there are shortcuts available in malware development.

In essence, Wardle proposed taking advantage of exploits, spyware, and other code that has already been developed by major groups working on behalf of other countries, reports Ars Technica. The code developed by the teams is usually better and not as resource-intensive as other home-cooked efforts, and are probably more robust as well.

"There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that's fully featured and also fully tested," said Wardle. "The idea is, why not let these groups in these agencies create malware, and if you're a hacker, just repurpose it for your own mission?"

Wardle demonstrated to attendees four Mac malware creations that have been employed in attacks over the years, which he then altered to report to command servers under Wardle's control rather than the originals. By taking command, the malware could then be used to acquire data, install payloads, or other types of activity that have already been incorporated into the malware.

It is suggested there could be two key benefits for hackers by taking the approach, with the main one being how other state-sponsored groups could save having to develop or risk exposing their own malware to accomplish a task, This would allow them to keep their own techniques and software secret for use in the future, minimizing detection down the line.

The second byproduct is that, if the malware is detected and analyzed, blame for the attack could be attributed to the malware's original developers and not the active users.



12 Comments

georgie01 8 Years · 437 comments

So how does someone get ahold of state sponsored hacking tools? Maybe I’m missing something, but it sounds like he’s saying you can just get them and repurpose them as if they’re freely available, and that doesn’t sound right.

longpath 20 Years · 401 comments

georgie01 said:
So how does someone get ahold of state sponsored hacking tools? Maybe I’m missing something, but it sounds like he’s saying you can just get them and repurpose them as if they’re freely available, and that doesn’t sound right.

Put another way, if an official of country X claims country Y is responsible for some malware, all that may mean is that country X's  three letter organizations repurposed code from country Y. As for how country X acquires country Y code, there have been a number of leaks, including from NSA. If Wikileaks can get a catalog of NSA exploits & malware, as they have done, then it stands to reason that malfeasant actors can also get copies of said code. If nothing else, there are all sorts of resources on the dark web.

lkrupp 19 Years · 10521 comments

This just reinforces the idea that government backdoors into encrypted data would be perfectly safe in the hands of bureaucrats. Nothing to worry about here. /s

lkrupp 19 Years · 10521 comments

Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.

CloudTalkin 5 Years · 916 comments

lkrupp said:
Correct me if I'm wrong but the user still has to be tricked into installing the malware, right? I'm currently using Safari Technology Preview as my browser and it always asks me if it's okay to download something from any site I happen to be on. I also think Safari's "open safe files" option should be removed so nothing launches after being downloaded. Most tech educated users probably have that option disabled already. I know I do.

Malware typically isn't targeted at the "tech educated" users.  Malware is typically targeted at "average joes", aka the general public.  There's far less potential financial or informational gain to be had going after someone with sound security practices.   From a criminal standpoint why not reuse known effective malware to target as many as possible?  If the attack is targeted, like the article says, blame can be attributed to the malware authors. Also, if the attack is target I doubt the attack vector would thwarted by Safari Tech Preview safeguards.