January 24, 2020
It looks like Bellingcat’s discovery of juicy nuclear warhead details that were leaked by Flashcard apps online has inspired researchers across a wide spectrum, as we now have a report about the discovery of a novel macOS malware that was exposed in a similar manner. The discovery of the malware came from Confiant a while back, who named the malware “MapperState” and confirmed that the malicious bundle comes with the usual and inexplicable Apple notarization.
The infection begins with dropping a legit copy of Adobe Flash Player, which is also very common among macOS malware strains. Still, MapperState’s features, encryption scheme, debug symbols, and strings were all hidden, encrypted, or stripped. By digging deeper, the researchers were able to confirm that the malware had the capability to fetch more payloads and also check for installed AV tools, but not much else was discerned.
This is where the flashcard app leaks come into play, as the researchers recently used what decrypted strings they held to search on the internet, and the gods (Google) answered. Someone based in San Diego had created a flashcards app account with content matching what was found in MapperState’s code. In the published flashcards, the researchers found another macOS malware named “Hydromac,” which appears to have the same commands as in their sample.
Using the additional data to further their analysis, Confiant figured that MapperState was actually a Hydromac root agent. This is why it didn’t feature the entire commands set but instead focused only on fetching other payloads. Another finding has to do with how the malware is distributed, which appears to involve malvertising campaigns that serve both “Tarmac” and “Hydromac.”
The Flashcard user (who may or may not be the author of the malware) has also exposed a real name, photo ID, personal email address, a GitHub repository, and maybe even a physical address. Confiant hasn’t given any actual details on that part, but they mention a link to an ad campaigns organization called “CashWithFB,” which generally follows a questionable business approach.
While no definitive connection has been verified here, the pieces fit, and the law enforcement authorities definitely have somewhere to start from. It is unclear if Confiant has shared these details with any investigators, but this is definitely a case that’s worth further inquiry.