{"id":78019,"date":"2018-05-03T13:41:47","date_gmt":"2018-05-03T20:41:47","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=78019"},"modified":"2018-05-03T13:41:47","modified_gmt":"2018-05-03T20:41:47","slug":"caution-mac-specific-hack-tool-mettle-discovered","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/caution-mac-specific-hack-tool-mettle-discovered\/","title":{"rendered":"Caution: Mac-specific Hack Tool Mettle Discovered"},"content":{"rendered":"

\"Mac<\/p>\n

Security researchers have discovered a Mac specific implementation of the hacking tool<\/a> Meterpreter, called Mettle.\u00a0As described<\/a> by its creator,\u00a0“[Mettle] can run on the smallest embedded Linux targets to big iron, and targets Android, iOS, macOS, Linux, and Windows, but can be ported to almost any POSIX-compliant environment.”<\/p>\n

Meterpreter is a tool packaged together with the popular Metasploit Framework, a versatile penetration testing software suite that can be used to test a network’s security defenses, expose vulnerabilities and exploit them, if desired.<\/p>\n

Metasploit\u00a0is very useful software\u00a0for those who\u00a0wish to harden and defend a network;\u00a0unfortunately, it is an equally useful tool for those who\u00a0wish to break into a network and cause havoc.\u00a0Meterpreter is one of the payloads that Metasploit uses, which allows a\u00a0user to execute a number of commands on a\u00a0target system.<\/p>\n

What is the infection vector?<\/h3>\n

This can really be anything from a fake Adobe Flash Player that drops this backdoor, an \u201cevil maid\u201d attack in which someone with physical access installs it, or a hack.<\/p>\n

If Mettle ends up on your Mac and is used in conjunction with MetaSploit, chances are the prime suspect is phishing or spear phishing. There is a possibility that your IT staff used this as part of a test for system and network security, so if your Mac falls under the care of such staff, check with them right away. If this came from them, they’ll probably be happy to see you discovered it. If it did not come from them, they’ll want to investigate immediately to see if there has been a data breach.<\/p>\n

About OSX\/Mettle.A<\/h3>\n

Mettle is a Mach-O (short for Mach object file format), meaning it was developed specifically for the Mac. This can be a port from another platform, similar to what\u00a0we saw with Snake malware<\/a>. This Mach-O is the exploit layer used to gain access to a target system.\u00a0Intego VirusBarrier<\/a> identifies and eradicates this threat\u00a0as OSX\/Mettle.A<\/strong>.<\/p>\n

Once access is provided by Mettle, the attacker can perform a wide range of tasks, including the ability to upload and download files, log keystrokes, search for files, execute scripts, take screenshots, access the camera, and much more. Because\u00a0users can write their own scripts for Mettle, its functionality is only limited by the skills of the user who\u00a0controls it.<\/p>\n

Meterpreter and Mettle are difficult to detect on a system as it creates no files on the hard disk. It runs completely from memory (RAM) and attaches itself to a process. Unless you are\u00a0looking for it, you probably won’t know it’s there. Your Mac’s memory is not scanned by antivirus software, so you may wonder,\u00a0how can\u00a0Intego detect it?<\/p>\n

If Mettle finds its way onto your system as part of other malware\u2014if it touches your hard drive in any way\u2014it will be picked up immediately by VirusBarrier’s\u00a0Real-Time scanner<\/a>.<\/p>\n

\"\"<\/p>\n

If Mettle is executed from memory, while antivirus software\u00a0would not\u00a0detect it, Intego\u00a0NetBarrier (two way firewall) will detect\u00a0the network activity when Mettle opens the backdoor and waits for commands to come in from a remote server. (This highlights\u00a0the importance of having a layered approach to security<\/a>.)<\/p>\n

\"\"<\/p>\n

Upon inspecting Mettle’s behavior, we found that it was attempting to receive commands from an Amazon hosted server.<\/p>\n

\"\"<\/p>\n

While there are legitimate purposes for tools like\u00a0Metasploit, the potential for\u00a0this security suite to be\u00a0turned against you, rather than being used to help you, is unfortunately far greater. Mettle was not created with a malicious purpose in mind, in fact, Rapid7 is a big player in the security industry that has a range of services to help improve security for organizations. However, just because Mettle was created with good intentions does not mean it won’t be used\u00a0with bad intentions.<\/p>\n

Samples used for analysis:<\/strong>
\n08ae98aab06477f1d2622ec7f2c590ec17b8582308c657db51782d6d5963ec27
\n58a80594603607ed330049187085b84f15513b96b2335f588ca1b28dc2c15576<\/p>\n","protected":false},"excerpt":{"rendered":"

Security researchers have discovered a Mac specific implementation of the hacking tool Meterpreter, called Mettle.\u00a0As described by its creator,\u00a0“[Mettle] can run on the smallest embedded Linux targets to big iron, and targets Android, iOS, macOS, Linux, and Windows, but can be ported to almost any POSIX-compliant environment.” Meterpreter is a tool packaged together with the […]<\/p>\n","protected":false},"author":79,"featured_media":78235,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[4129,4126,4132,4135],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n