A former hacker for the National Security Agency has demonstrated an effective approach for malware creators to attack macOS, by repurposing code developed by state-sponsored hackers.
As with other software development projects, creating malware typically requires a lot of effort to create software that takes advantage of exploits, so shortcuts to a completed piece of software is always sought after by those producing them. As explained by Jamf security researcher Patrick Wardle in a talk at the RSA Security conference, there are shortcuts available in malware development.
In essence, Wardle proposed taking advantage of exploits, spyware, and other code that has already been developed by major groups working on behalf of other countries, reports Ars Technica. The code developed by the teams is usually better and not as resource-intensive as other home-cooked efforts, and are probably more robust as well.
"There are incredibly well-funded, well-resourced, very motivated hacker groups in three-letter agencies that are creating amazing malware that's fully featured and also fully tested," said Wardle. "The idea is, why not let these groups in these agencies create malware, and if you're a hacker, just repurpose it for your own mission?"
Wardle demonstrated to attendees four Mac malware creations that have been employed in attacks over the years, which he then altered to report to command servers under Wardle's control rather than the originals. By taking command, the malware could then be used to acquire data, install payloads, or other types of activity that have already been incorporated into the malware.
It is suggested there could be two key benefits for hackers by taking the approach, with the main one being how other state-sponsored groups could save having to develop or risk exposing their own malware to accomplish a task, This would allow them to keep their own techniques and software secret for use in the future, minimizing detection down the line.
The second byproduct is that, if the malware is detected and analyzed, blame for the attack could be attributed to the malware's original developers and not the active users.