Security Alert: Mosyle Discovers Novel Malware Loaders Crafted in Unusual Languages [Exclusive]

Exclusively powered by Mosyle, the sole Apple Unified Platform. Ensuring Apple devices are prepared for work and secured is our sole focus. Our unique integrated method merges cutting-edge Apple-specific security solutions, enabling fully automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and specialized Privilege Management with the most robust and modern Apple MDM available. The result is an entirely automated Apple Unified Platform, trusted by over 45,000 organizations, facilitating millions of Apple devices to be work-ready effortlessly and affordably. Get your EXTENDED TRIAL today to discover why Mosyle is your all-in-one solution for Apple management.

In this week’s special edition of Security Bite, Mosyle, a leader in Apple Device Management and Security, has shared exclusive insights with DMN regarding a new category of Mac malware loaders. Mosyle’s Security Research team uncovered that these new threats utilize unconventional programming languages and several clever techniques to avoid detection.

A malware loader acts as a “foot in the door” for cybercriminals. Its primary function is to silently establish an initial foothold on a system, paving the way for more harmful malware to be introduced.

The recently uncovered loader samples were created using Nim, Crystal, and Rust—programming languages not typically associated with malware creation. Common languages in this sphere include Objective-C, C++, and Bash. This unconventional approach indicates that the attackers are intentionally attempting to bypass traditional antivirus detection methods.

While this methodology is indeed stealthy, I’m doubtful it will evolve into a widespread tactic. Using less popular programming languages like Nim or Rust poses significant challenges for cybercriminals. These languages likely involve more complex compilation processes compared to well-established options like C and Bash, as well as offering fewer readily available libraries and tools. The increased learning curve and more challenging debugging can lead to inadvertent digital traces that could expose their malware. After all, even cybercriminals aim for their code to operate smoothly—and currently, these experimental languages complicate that process.

Other evasion techniques identified include:

• Persistence via macOS’s launchctl mechanism
• Extended sleep intervals
• Directory validations prior to data transmission

According to Mosyle’s findings, the malware campaign is still in its infancy, possibly centered on data gathering. Telemetry data suggests the samples originated from systems based in Bulgaria and the United States.

Worryingly, the samples went undetected by VirusTotal for several days following their initial identification.

Below are the hashes of the three malware samples, along with their respective command and control (C2) domains:

Nim Sample

C2 Domain: strawberriesandmangos[.]com

Hash: f1c312c20dbef6f82dc5d3611cdcd80a2741819871f10f3109dea65dbaf20b07

Crystal Sample

C2 Domain: motocyclesincyprus[.]com

Hash: 2c7adb7bb10898badf6b08938a3920fa4d301f8a150aa1122ea5d7394e0cd702

Rust Sample

C2 Domain: airconditionersontop[.]com

Hash: 24852ddee0e9d0288ca848dab379f5d6d051cb5f0b26d73545011a8d4cff4066

The security team at Mosyle is actively monitoring and researching these emerging threats. I will keep updating here as new information comes to light. The periods and brackets [.] serve to prevent active clicks on these domains; the Mosyle team indicates these C2 servers may still be operational.

More: Ransomware groups increased in Q3 2024, with shifting leadership

Follow Arin: Twitter/X, LinkedIn, Threads