Apple Mac computers are rarely subject to cyber attacks to espionage. However, a previously unknown APT-group WindShift managed for several years to carry out threat actors activity, attack “poppies”, and go unnoticed.
As reported in his report to the security researcher, the company DarkMatter Karim Taha (Taha Karim), hackers successfully avoided detection for several years as they attacked rarely and only certain people (only two attacks in 2017 and three in 2018). Their victims were employees of government agencies and critical infrastructure companies in the countries of the Middle East.
Preparations for the attack began long before the attack itself. The attackers created fake pages of users in social networks, and then sent the future victim’s request for adding friends. User established contact through private messages and SimAnimals useful information such as phone numbers, email, etc.
From 6 months to 1 year, the attackers followed the victim through innocent emails, identifying their interests, location, computer used, frequency of clicks, etc. On the basis of the obtained data for victims were created a special content, and then began the attack.
In particular, the hackers sent the victim a phishing email with a link to a website they control, where a drive by attack on an Apple Mac loaded with malware WindTale (options a and b) and WindTape.
WindTale And signed is a backdoor, steal files расширениями.txt,.pdf,.doc.docx,.ppt,.pptx.db.,.rtf,.xls и.xlsx. It was first used in January 2017. WindTale appeared in January of this year and is a rewritten version WindTale A. in Addition to the theft of data, the malware also loads on the victim’s computer malware WindTape that have similar features with Komplex OSX Trojan used by the group APT28.
Read more •••