![\"Mac](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/malware-on-the-rise.jpg\")
<\/p>\n<\/p>\n
Intego has seen a\u00a0recent\u00a0increase in malware that affects Apple products, and while these threats are currently low risk, there are few things you need to be aware of so you can stay protected.<\/p>\n
The recent\u00a0uptick in malware began over the summer\u00a0with the discovery of Eleanor<\/a>, a piece of malware that opens a backdoor on OS X masquerading as a file converter app. Less than\u00a0a month later followed\u00a0the discovery of Adwind RAT<\/a>, a remote access trojan targeting OS X.<\/p>\n That same month, we learned of the Pegasus exploit affecting iOS<\/a>, giving those who targeted and infected an iOS device full access over its contents; Apple patched the same flaws in OS X<\/a> about a week later. Though no in the wild exploit like Pegasus is known to target OS X, it is not a stretch to think it may have been out there.<\/p>\n August was a busy month as the Keydnap malware was found<\/a> to hitch a ride on the Transmission application, stealing the OS X keychain contents from those infected.<\/p>\n That\u2019s just the kind of trouble that was out there for OS X and iOS users in the last two months. Luckily, Apple patched the vulnerabilities that allowed Pegasus to run and Intego protects its customers\u00a0from the above mentioned malware.<\/p>\n While there currently appears to be no active malware out there that can pose a threat, Intego is following several potential threats. Following are a few of these potential threats that Mac users need to be aware of.<\/p>\n Early September we learned of a file being distributed through email that, when opened, opens a backdoor on an OS X system and keeps an active connection to a remote server. It also creates a LaunchAgent to keep itself alive if a user logs out or restarts the computer. The process that runs in the background identifies itself as \u201cStreamMainer,\u201d which is a name that has been linked to Adwind in the past. When the malicious file is opened, Java installs files in the following locations:<\/p>\n How to know\u00a0if your Mac is infected<\/strong><\/p>\n From the Finder menu “Go”, select “Go to Folder” and copy\/paste each of the following paths (replace $USER with your own home folder name):<\/p>\n If the files or folders are found, your Mac is probably infected. Move the files to your trash and restart your Mac, then empty the trash and check the locations again. Your Mac should now be clear of Adwind RAT.<\/p>\n There is no indication at this time that the backdoor it creates is being used to steal data (or even if this malicious file is being actively spread online). As a precaution, Intego VirusBarrier<\/a> detects this as Java\/Adwind<\/strong>,\u00a0so Intego users will be protected from it or whatever it may become.<\/p>\n Intego has also learned of a Trojan posing as a fake Flash Player installer;\u00a0a sneaky little bug that saw previous iterations<\/a> open a backdoor on an infected system and steals files among other things. This particular version does not appear to activate the backdoor though, and in fact, the installation fails. This week a backdoor for OS X was discovered<\/a>. This cross platform malware is able to infect Windows and Linux systems as well, though an OS X sample of this backdoor was only recently uncovered. Mokes can take screenshots of an infected system as well as steal Office documents, record keystrokes, capture audio and video and execute commands.<\/p>\n Installing<\/strong><\/p>\n When executed for the first time, the malware copies itself to the first available of the following locations, in this order:<\/p>\n Corresponding to that location, it creates a LaunchAgent to achieve persistence on the system, so restarting the Mac will have\u00a0no effect on its functionality.<\/p>\n How to know\u00a0if your Mac is infected<\/strong><\/p>\n From the Finder menu “Go,” select “Go to Folder” and copy\/paste each of the above mentioned paths (replace $USER with your own home folder name). Again, if the files are found you are probably infected with Mokes. Remove the files and restart your Mac, then check for these files again to make sure they were properly deleted.<\/p>\n How this malware spreads\u00a0is currently unknown,\u00a0but if it finds its way onto your system, Intego VirusBarrier<\/a> will detect it as OSX\/Mokes<\/strong> and swiftly kick it to the curb.<\/p>\n Not every piece of malware is worthy of news coverage, but no news does not always mean good news. Intego\u2019s malware team is\u00a0hard at work analyzing potential threats every day of the week to make sure end users are protected.<\/p>\n While it\u2019s certainly good to know your Mac antivirus\u00a0software has your back, you can take some additional steps to protect yourself.<\/p>\n Intego has seen a\u00a0recent\u00a0increase in malware that affects Apple products, and while these threats are currently low risk, there are few things you need to be aware of so you can stay protected. The recent\u00a0uptick in malware began over the summer\u00a0with the discovery of Eleanor, a piece of malware that opens a backdoor on OS […]<\/p>\n","protected":false},"author":79,"featured_media":56794,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,151],"tags":[3025,86,1495,3109],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\nPotential new Adwind RAT<\/strong><\/h3>\n
\n![\"Adware-RAT-StreamMainer-Process\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/Adware-RAT-StreamMainer-Process.jpg\")
<\/a>
\nTraffic that was monitored between the backdoor and the server showed a certificate by \u201cassylias.Inc,\u201d which was also an indication this may be a version of Adwind.
\n![\"Adware-RAT-pcap-grab\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/Adware-RAT-pcap-grab.jpg\")
<\/a>
\nInstalling<\/strong><\/p>\n\n
\n
\n
\n
\n
iWorm\u2028 dubbed as fake Flash Player<\/strong><\/h3>\n
\n![\"iWorm-Installation-fails\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/iWorm-Installation-fails.jpg\")
<\/a>
\nThis could just be a Proof of Concept or the beginning of a functional Trojan horse. It is currently not known how (or even if) this Trojan is spreading in the wild, but VirusBarrier is ready for any potential encounters and detects it as OSX\/iWorm<\/strong>.<\/p>\n“Mokes\u2028” Malware<\/strong><\/h3>\n
\n
\n