State-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN. More… and...
And this is exactly why it's so important that the macOS firewall isn't broken! You could easily tackle this stuff with a firewall and anti-logger. And then I'm mainly talking about the last stage of this attack, although when the user fully trusts this app it gets more difficult of course. So my point is, never fully trust any app.
This is what I never understood. But isn't this the case on Windows too? And then I'm talking specifically about outbound connections. Actually, I've just read in the article that this is indeed the case. The inbound connections are not so much of a problem because shouldn't the modem/router take care of this? But to block malware from phoning home, you obviously need outbound control. This is not clearly explained in the article, a missed opportunity.
Certainly a good idea, but of course outbound control is needed to control how apps and other programs connect, if that's what the user wants. In Windows, the firewall is enabled by default, but only to block incoming connections. The article inaccurately claims that Windows firewall does not block outgoing, but it can be set up to do so, just not in a user-friendly way unless a 3rd-party utility such as Windows Firewall Control is used.I don't use macOS so I don't know if its firewall can be set up to block outgoing connections. Of course as you mention, blocking incoming only, does nothing to stop apps or malware from phoning home on an outbound connection.
Hello @wat0114 This why 3rd party macOS apps such as LuLu, Little Snitch and others are strongly suggested for inclusion in your defense arsenal. In the case of Objective-see's LuLu, the user may specify and develop a custom block list containing the toxic URLs and IPs. HTH
Exactly, I wonder if ProTruckDriver knew about this? Radio Silence is another interesting outbound firewall, see link. And speaking of this particular attack, I'm not sure if KANDYKORN, which is the final payload, runs as a separate (child) process or not. Because only then could a firewall block the outbound connection. And I'm also not sure if it makes use of code injection, which is less common on macOS, but is possible. What I'm saying is, if this malware is a bit more sophisticated than thought, then you need a behavior blocker to block it from getting access to private files and to block it from bypassing the firewall. Problem is, on macOS there aren't that many behavior blockers available. https://radiosilenceapp.com
Well, the built-in firewall is a disaster so I always use Windows Firewall Control to manage it. I also use Tinywall as my third party firewall which doesn't depend on the built-in firewall and has a silent mode, because those alerts might drive you nuts.
And that's why this was so outragous, Apple was weakening third party firewalls. But luckily they got caught. https://9to5mac.com/2021/01/13/maco...lets-apple-apps-bypass-third-party-firewalls/
