Ferdous Saljooki
@malwarezoo
Followers
747
Following
2K
Media
12
Statuses
400
staff security researcher @jamfsoftware • macOS threat detection • views are my own
Toronto
Joined June 2017
It’s an honor to be speaking at #OBTS again alongside so many incredible researchers. I’ll be sharing simple bugs that bypass Gatekeeper and CDHash revocation, allowing revoked ad-hoc signed malware to run without any re-signing.
📢 Just dropped: the full #OBTS v8 talk lineup! And for the first time we'll have 3 full days of presentations! 🤩. Congrats to the selected speakers and mahalo to all who submitted. With ~100 submissions, selecting the final talks was a daunting task! 😫.
1
5
30
RT @txhaflaire: Jamf Threat Labs uncovered a new variant of the Odyssey Infostealer — signed and notarized at the time of discovery. This….
jamf.com
Discover new technical insights into the Odyssey Stealer malware, including signed & notarized variants, SwiftUI-based social engineering, and advanced persistence techniques.
0
10
0
BlueNoroff has been actively targeting victims in the crypto space. On macOS, they've used Script Editor for initial access and now leveraging Automator to bypass Gatekeeper checks. Here are two lures that cleverly download additional payloads and display a decoy PDF, all via
1
13
62
RT @birchb0y: excited bc today @HuntressLabs is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!!….
huntress.com
Learn how DPRK's BlueNoroff group executed a Web3 macOS intrusion. Explore the attack chain, malware, and techniques in our detailed technical report.
0
97
0
Related hashes:.de8aca685871ade8a75e4614ada219025e2d6fd7 (Termius9.5.0.dmg).7087be726590e35285c891dc60acec826a0c03d5 (Termius_final.dmg).fa9b89d4eb4d47d34f0f366750d55603813097c1 (xssooxxagent - persistent downloader).
0
1
7
Modified versions of Termius (SSH client) were uploaded to VirusTotal that contain a persistent downloader which fetches and decodes Khepri (an open-source post-exploitation tool). /Applications/Termius.app/Contents/Frameworks/Termius Helper .app/Contents/MacOS/.localized. 1/n
3
13
48
RT @yo_yo_yo_jbo: 💪 Our team has identified a new variant of XCSSET malware and blogged about it! .
microsoft.com
Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. Its first known variant since 2022, this latest...
0
9
0
After posting the hunting query for macOS stealers yesterday, I noticed today that the ".file" extension for the scripts was changed to randomized extensions like "BraveTalk_Setup.ASpCp" and "Harmony.hklnP". The malware authors are paying attention 😆
2
5
34
This creates a detection opportunity by looking for script executions with a .file extension running from a mounted volume where the responsible process is Terminal and optionally the script has a resource fork that stores an icon image.
0
2
5
Many of the recent stealers social-engineer victims into overriding Gatekeeper controls by instructing them to drag and drop and run an obfuscated shell script from the Terminal. This script essentially runs a hidden executable contained within the disk image.
1
1
6
If you’re hunting for macOS stealers, this VirusTotal query yields good results:. type:script filename:"/Volumes/" filename:".file" behavior_command_executions:base64
2
12
69
XCSSET payload recently uploaded to VirusTotal appears to align with Microsoft's findings, including persistence via zshrc and dock.
Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that targets users by infecting Xcode projects, in the wild. While we’re only seeing this new XCSSET variant in limited attacks at this time, we’re sharing this information
1
13
43
RT @patrickwardle: "Radiant Capital was targeted by a highly sophisticated [macOS] cyberattack that resulted in a loss valued at approximat….
medium.com
2024–12–06
0
34
0
I had an amazing time at #obts catching up with old friends and meeting new ones. The talks were all fantastic and this community is truly one of a kind. Huge thanks to @andyrozen and @patrickwardle for hosting yet another successful conference. Looking forward to Ibiza next.
In the world of computers, 8 marks a shift to the next level - #OBTS v8 will embody that leap forward! 🤩. So mark your calendars & set an 'out of office' for the week of Oct. 12th. because #OBTS v8 is heading to sunny Ibiza! 🌴🇪🇸 . more details soon 🫣
0
2
14
RT @jbradley89: Today we released a blog post detailing how threat actors are using the Flutter Engine to build malware for macOS. This res….
jamf.com
With malicious code hidden within, the new malware with ties to DPRK, has evaded detection by notable malware checking systems that may signal a new way of attacking macOS devices.
0
42
0
RT @DefSecSentinel: Great find and fantastic write-up by my friends @malwarezoo and @jbradley89 over @JamfSoftware. Go check it out. Very i….
0
24
0
RT @patch1t: As promised, I just dropped a dozen new sandbox escape vulnerabilities at #POC2024.If you missed the talk, here is the blog po….
github.com
Mickey's Blogs. Contribute to jhftss/jhftss.github.io development by creating an account on GitHub.
0
146
0
RT @08Tc3wBB: My bug CVE-2024-44131 got patched on iOS 18.0. It’s an iOS TCC bypass bug that lets third-party apps access data stored on iC….
0
40
0