New macOS Malware ‘Hydromac’ Discovered in Flashcard App Data

  • Indexed flashcard app data exposed a previously undocumented macOS malware that is linked with known strains.
  • Someone who may or may not be directly connected with the malware exposed the details and their own PII.
  • Flashcard apps have turned into a new form of data exposure space that re-sparked old investigations.

It looks like Bellingcat’s discovery of juicy nuclear warhead details that were leaked by Flashcard apps online has inspired researchers across a wide spectrum, as we now have a report about the discovery of a novel macOS malware that was exposed in a similar manner. The discovery of the malware came from Confiant a while back, who named the malware “MapperState” and confirmed that the malicious bundle comes with the usual and inexplicable Apple notarization.

The infection begins with dropping a legit copy of Adobe Flash Player, which is also very common among macOS malware strains. Still, MapperState’s features, encryption scheme, debug symbols, and strings were all hidden, encrypted, or stripped. By digging deeper, the researchers were able to confirm that the malware had the capability to fetch more payloads and also check for installed AV tools, but not much else was discerned.

This is where the flashcard app leaks come into play, as the researchers recently used what decrypted strings they held to search on the internet, and the gods (Google) answered. Someone based in San Diego had created a flashcards app account with content matching what was found in MapperState’s code. In the published flashcards, the researchers found another macOS malware named “Hydromac,” which appears to have the same commands as in their sample.

Source: Confiant

Using the additional data to further their analysis, Confiant figured that MapperState was actually a Hydromac root agent. This is why it didn’t feature the entire commands set but instead focused only on fetching other payloads. Another finding has to do with how the malware is distributed, which appears to involve malvertising campaigns that serve both “Tarmac” and “Hydromac.”

The Flashcard user (who may or may not be the author of the malware) has also exposed a real name, photo ID, personal email address, a GitHub repository, and maybe even a physical address. Confiant hasn’t given any actual details on that part, but they mention a link to an ad campaigns organization called “CashWithFB,” which generally follows a questionable business approach.

While no definitive connection has been verified here, the pieces fit, and the law enforcement authorities definitely have somewhere to start from. It is unclear if Confiant has shared these details with any investigators, but this is definitely a case that’s worth further inquiry.

How to Watch Interior Design Masters Season 4 Online from Anywhere
Fans of this reality show, which offers ambitious designers a chance to demonstrate their abilities and pursue their dreams of becoming professional...
How to Watch Rock The Block Season 4 Online: Stream the Renovation Series from Anywhere
Rock the Block, the smash hit home remodeling contest series, is back for its most fantastic season ever! The new six-episode season...
How to Watch Spring Baking Championship Season 9 Online: Stream the Cooking Competition from Anywhere
There’s no better way to welcome spring with some freshly baked goods, and that’s precisely how we’ll usher in the good weather...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari