New Tiny FUD Attacking macOS Users Bypassing Antivirus and Security Tools

A new, highly sophisticated malware known as Tiny FUD has been identified, targeting macOS users with advanced evasion techniques that allow it to bypass traditional antivirus and security tools.

This malware leverages process name spoofing, DYLD injection, and C2-based command execution to remain undetected.

While this malware is particularly dangerous due to its ability to bypass antivirus and security tools which makes it nearly undetectable.

SIEM as a Service

Denwp Research team noted that the Tiny FUD is designed to be “Fully Undetectable” (FUD), employing several stealth mechanisms to evade detection.

Tiny FUD #trojan for #macOS

I love how it changes its process name to some legit stuff (taken from an hardcoded list) to hide

At first sight, it might use DYLD_INSERT_LIBRARIES injection technique to load ShoveService.framework and exploit CVE-2022-26712

MD5 + C2 ⏬ pic.twitter.com/TnOCOvieez

— Bruce Ketta (@bruce_k3tta) January 17, 2025

Attack Chain

Detect It Easy (DIE) facilitated a static analysis of the binary, revealing its development with modern macOS tools, possibly Xcode.

The presence of codesign indicates the binary was signed, potentially to bypass macOS security features like Gatekeeper and SIP.

This insight helps identify the malware’s origin and evasion strategies.

Process Name Spoofing: The malware changes its process name to mimic legitimate Apple services, such as com.apple.Webkit.Networking, com.apple.Safari.helper, com.apple.security.agent, or com.apple.system.events.

This is achieved using the osascript command, making it difficult to identify in Activity Monitor.

   osascript -e 'tell application "System Events" to set name of first process whose unix id of (processes) is (unix id of (current application)) to "com.apple.Webkit.Networking"'

DYLD Injection: Tiny FUD uses the DYLD environment variable to inject malicious libraries into legitimate processes. This technique exploits vulnerabilities like CVE-2022-26712 and is facilitated by the DYLD_INSERT_LIBRARIES environment variable.

   DYLD_INSERT_LIBRARIES=/System/Library/PrivateFrameworks/ShoveService.framework/ShoveService

C2 Command Execution: The malware establishes a connection with a Command and Control (C2) server at a hardcoded IP address (69[.]197[.]175[.]10:9999) to receive and execute commands. This includes capturing screenshots and sending them back to the C2 server.

   // Hardcoded C2 IP and Port
   char *c2_ip = "69.197.175.10";
   int c2_port = 9999;

The malware employs stealth mechanisms by self-signing, whereby it resigns itself with added runtime entitlements.

Entitlements File Structure (Source – Denwp Research)

This process allows the malware to disable executable page protection and enable DYLD environment variables, which it achieves by generating an XML-based entitlements file.

  
  
  
      
          com.apple.security.cs.allow-unsigned-executable-memory
          
          com.apple.security.cs.disable-executable-page-protection
          
          com.apple.security.cs.allow-dyld-environment-variables
          
          com.apple.security.get-task-allow
          
          com.apple.security.cs.debugger

The malware hides itself from Finder by setting the invisible attribute using the SetFile command.

  SetFile -a V "/path/to/malware"

Users are advised to remain vigilant and ensure their systems are updated with the latest security patches. Additionally, employing advanced security tools that can detect and mitigate such stealthy malware is crucial.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Source link

Attack Chain

Latest Posts