Wow, seems like a quite nifty attack that might fool a lot of people. And XProtect really isn't good enough in my view, way too easy to bypass since it relies mostly on signatures. See also this article: https://www.malwarebytes.com/blog/news/2024/03/malicious-meeting-invite-fix-targets-mac-users
Hello @Rasheed187 Until much more clarity is brought to this attack's possible macOS defenses, I have added the corrected IP address, of the apparent command & control server (C²), to my third-party firewall app. That C² IP address is beginning to be flagged in VirusTotal's detections. Of course, the above fails to address possible weaknesses of macOS/Calendar. At the very least, an appropriate CVE needs to be initiated, if not already in the works. Hopefully, we may see a fine-grain analysis by others soon. HTH
A third party firewall should block this trojan anyway, unless it makes use of code injection, but I don't believe malware does this on macOS, because macOS has better protection against this out of the box, from what I understood. But it's not impossible, see links. Bottom line is, macOS need better behavior blocking tools. https://www.darkreading.com/endpoint-security/researchers-explore-remote-code-injection-in-macos https://www.deepinstinct.com/blog/remote-code-injections-in-mac-os (can't download the report anymore)
Hello @Rasheed187 I agree. When discovered and published, I drop IPs and/or URLs on my 3rd party firewall. I also like that the new YARA rules are frequently used by Apple's macOS teams. However, I'm underwhelmed with the infrequent use of the new Bastion rules. Moreover, I wish XProtect/XProtect Remediator additions were released as soon as they are approved instead of some arbitrary weekly schedule. Since Apple's macOS Sonoma 14.4 is now at its release control phase, maybe we will soon see some significant security improvements. Cheers
