Spyware threat haunts squeaky-clean iPhones

US security consultancy Red Canary says it’s found MacOS malware written specifically for the shiny new M1 silicon that Apple created to power its post-Intel Macs.

Red Canary has named the malware “Silver Sparrow” and says it had found its way onto almost 30,000 MacOS devices as of February 17th.

Red Canary’s post says it has analysed two samples of the malware, one targeting x86 and the other targeting X86 and Apple’s own M1 silicon. The form says both samples “leverage the macOS Installer JavaScript API to execute suspicious commands.” That’s not unusual behaviour for a legitimate software installer package, but Red Canary says it’s not spotted it in malware before.

Updated A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware, The Register can reveal.

The affected laptops, distributed to schools under the UK government's Get Help With Technology (GHWT) scheme, which started last year, came bundled with Gamarue – an old remote-access worm from the 2010s. This software nasty doesn't just spread from computer to computer, it also tries to connect to outside servers for instructions to carry out.

The Register understands that a batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware. A spokesperson for the manufacturer was not available for comment.

NSO Group – sued by Facebook for developing Pegasus spyware that targeted WhatsApp users – this week claimed Facebook tried to license the very same surveillance software to snoop on its own social-media addicts.

The Israeli spyware maker's CEO Shalev Hulio alleged in a statement [PDF] to a US federal district court that in 2017 he was approached by Facebook reps who wanted to use NSO's Pegasus technology in Facebook's controversial Onavo Protect app to track mobile users.

Pegasus is designed to, once installed on a device, harvest its text messages, gather information about its apps, eavesdrop on calls, track its location, and harvest passwords, among other things.

A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase, among other things, for up to four years, according to a new report by Bitdefender.

The malware, named Mandrake by the threat intelligence agency, featured a three-part structure that allowed its operators to evade detection by routine Google scanning.

Beginning with an innocuous-looking dropper hosted on the Google Play store, masquerading as one of a number of legitimate apps, Mandrake allowed its Russian operators to snoop on virtually everything unsuspecting targets did on their mobile phone.

Gootkit financial malware has been resurrected to fling ransomware payloads at unwitting marks, according to Sophos.

The infosec firm said today that “criminal operators have turned the infection method” for the malware “into a complex delivery platform for a wide range of malware, including ransomware.”

Gootkit is an exploit kit that has been around for a good few years. Originally its operators set out to compromise legitimate websites and redirect their traffic towards hostile sites containing malware.

Malware hunters are sounding the alarm over a new, more effective version of the North Korean "Apple Jeus" macOS software nasty.

The team at Kaspersky Lab's Global Research and Analysis Team has dissected what they say is a 'sequel' to the 2018 outbreak that targeted users on cryptocurrency sites for account theft.

Believed to be operating out of North Korea on behalf of the nation's authoritarian government, the Lazarus group looks to bring cash into the sanction-hit government's coffers by way of hacks on financial institutions, phishing and currency mining and theft operations.

Software nasties targeted at MacOS are on the increase faster than ones for Windows, according to antivirus biz Malwarebytes.

Malicious software targeting users of Apple Macs has leapt over the last year, the security outfit said in its latest State of Malware report.

Describing this as an "exponential" increase, the firm said that detections of nasties targeted against innocent Apple fanbois were up 400 per cent year-on-year, while adding the caveat that its Mac userbase had also grown a bit.

Russian antivirus maker Kaspersky has said it uncovered "rogue UEFI firmware images" seemingly developed by black hats with links to China.

The rogue images had been "modified from their benign counterpart to incorporate several malicious modules", according to a post on Kaspersky's Securelist blog, which named the attack MosaicRegressor.

"MosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines," said Kaspersky in a statement.

ESET researchers say they have found a lightweight strain of malware that targets multiple OSes and has hit supercomputers, an ISP, and other organisations.

Nicknamed Kobalos, the software nasty is said to be portable to Linux, the BSDs, Solaris, and possibly AIX and Windows. ESET researchers Marc-Etienne M.Léveillé and Ignacio Sanmillan appear to have analysed primarily the Linux version of the code. Here's a summary of the key findings from their research:

Updated Security intelligence firm Recorded Future's Insikt Group has written a paper alleging China was behind attacks on India's electricity grid.

In a blog post and white paper (which requires registration to access), the firm said it had seen a notable increase in targeted attacks on India from China state-sponsored groups.

The cybersecurity firm has named the offenders "RedEcho."