The crusade leverages Exodus-themed phishing messages using an attachment named “Exodus-MacOS-1.64.1-update.zip.” The messages were sent past times accounts associated amongst the domain “update-exodus[.]io”, the attackers used it to play a joke on victims into believing that it was a legitimate domain used past times the Exodus organization.
The malware poses itself equally a faux Exodus update, it is using the dependent plain “Update 1.64.1 Release – New Assets too more”. Experts pointed out that the latest released version for Exodus is 1.63.1.
The aught archive includes an application created before this calendar month that contains a Mach-O binary amongst the filename “rtcfg”.The researchers analyzed the code too establish several strings too references to the “realtime-spy-mac[.]com” website, a cloud-based remote spy software for Mac systems.
“From the website, the developer described their software equally a cloud-based surveillance too remote spy tool. Their measure offering costs $79.95 too comes amongst a cloud-based trouble organisation human relationship where users tin dismiss sentiment the images too information that the tool uploaded from the target machine.” states the weblog mail published past times F-Secure. “The strings that were extracted from the Mac binary from the postal service spam coincides amongst the features mentioned inwards the realtime-spy-mac[.]com tool.”
Experts searching for like instances of the Mac keylogger inwards the F-Secure repository too establish other applications, including taxviewer.app, picupdater.app, MacBook.app, too launchpad.app.
“Based on the spy tool’s website, it appears that it does non alone back upward Mac but Windows equally well,” concludes F-Secure. “It’s non the starting fourth dimension time that we’ve seen Windows threats target Mac. As the crimeware threat actors inwards Windows accept payoff of the cryptocurrency trend, they equally good seem to desire to expand their reach, hence also ended upward targeting Mac users.”
Further details virtually the campaign, including IoCs are reported inwards the analysis published past times F-Secure.
