New macOS Malware ‘Hydromac’ Discovered in Flashcard App Data

  • Indexed flashcard app data exposed a previously undocumented macOS malware that is linked with known strains.
  • Someone who may or may not be directly connected with the malware exposed the details and their own PII.
  • Flashcard apps have turned into a new form of data exposure space that re-sparked old investigations.

It looks like Bellingcat’s discovery of juicy nuclear warhead details that were leaked by Flashcard apps online has inspired researchers across a wide spectrum, as we now have a report about the discovery of a novel macOS malware that was exposed in a similar manner. The discovery of the malware came from Confiant a while back, who named the malware “MapperState” and confirmed that the malicious bundle comes with the usual and inexplicable Apple notarization.

The infection begins with dropping a legit copy of Adobe Flash Player, which is also very common among macOS malware strains. Still, MapperState’s features, encryption scheme, debug symbols, and strings were all hidden, encrypted, or stripped. By digging deeper, the researchers were able to confirm that the malware had the capability to fetch more payloads and also check for installed AV tools, but not much else was discerned.

This is where the flashcard app leaks come into play, as the researchers recently used what decrypted strings they held to search on the internet, and the gods (Google) answered. Someone based in San Diego had created a flashcards app account with content matching what was found in MapperState’s code. In the published flashcards, the researchers found another macOS malware named “Hydromac,” which appears to have the same commands as in their sample.

Source: Confiant

Using the additional data to further their analysis, Confiant figured that MapperState was actually a Hydromac root agent. This is why it didn’t feature the entire commands set but instead focused only on fetching other payloads. Another finding has to do with how the malware is distributed, which appears to involve malvertising campaigns that serve both “Tarmac” and “Hydromac.”

The Flashcard user (who may or may not be the author of the malware) has also exposed a real name, photo ID, personal email address, a GitHub repository, and maybe even a physical address. Confiant hasn’t given any actual details on that part, but they mention a link to an ad campaigns organization called “CashWithFB,” which generally follows a questionable business approach.

While no definitive connection has been verified here, the pieces fit, and the law enforcement authorities definitely have somewhere to start from. It is unclear if Confiant has shared these details with any investigators, but this is definitely a case that’s worth further inquiry.

How to Watch Prix de l’Arc de Triomphe 2022 Live Stream Online from Anywhere
The Prix de l'Arc de Triomphe is finally upon us, and there is great excitement ahead of what should be a captivating...
How to Watch The Gabby Petito Story Online From Anywhere: Stream the Skyler Samuels & Evan Hall Movie
You may remember the Gabby Petito case that made the news last year, and a movie based on this true story is...
How to Watch Killer Cases Season 3 Online From Anywhere
Get ready for a new season of this chilling series that fascinates true crime fans as Season 3 is set to premiere...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari