Digita Security

Cybersecurity solutions for the

  • modern
  • mobile
  • independent
  • innovative
  • enterprising

macOS workforce

April 1, 2019

Mac Adware, a la Python


Chances are, if an Apple user tells you their Mac is infected, it’s likely adware. Over the years, Mac adware has become ever more prolific as hackers seeks to financially “benefit” from the popularity of Cupertino’s devices.

continue reading

January 22, 2019

Reversing 'pkgutil' to Verify PKGs


Being a security company, designing a macOS endpoint security tool, security is rather important to us! As part of our product’s secure update mechanism, we wanted to validate our downloaded update packages (.pkg) …before blindly installing them!

continue reading

January 20, 2019

Middle East Cyber-Espionage (part 2)


A few weeks ago, I posted part one of this two-part blog series covering the macOS exploits and implants used in a Middle East cyber-espionage operation. Today, we’ll complete the analysis of OSX.WindTail, detailing it’s installer and self-delete logic, and thru reverse-engineering uncover it’s main capabilities.

continue reading

January 1, 2019

The Mac Malware of 2018

Background Hooray, it’s the New Year! 2019 is going to be incredible, right? …right? For the third year in a row, I’ve decided to post a blog that comprehensively covers all the new Mac malware that appeared during the course of the year. While the specimens may have been briefly reported on before (i.e. by the AV company that discovered them), this blog aims to cumulatively cover all new Mac malware of 2018 - in one place.

continue reading

December 20, 2018

Middle East Cyber-Espionage

📝 👾 Want to play along? I’ve shared various OSX.WindTail samples (password: infect3d) …don’t infect yourself! In this blog post, we’ll analyze the WindShift APT group’s 1st-stage macOS implant: OSX.WindTail (likely variant A) Specifically we’ll detail the malware’s: initial infection vector method of persistence capabilities detection and removal Background A few months ago, Taha Karim (head of malware research labs, at Dark Matter) presented some intriguing research at Hack in the Box Singapore.

continue reading

December 5, 2018

Word to Your Mac

📝 👾 Want to play along? I’ve shared the malicious document (password: infect3d) …don’t infect yourself! In this blog post, we’ll detail how analyze a Word document that we suspect contains malicious logic. Specifically we’ll detail: How to extract & analyze the malicious macros embedded in the document. How to decode & analyze the embedded 1st-stage payload (downloader). Retrieve & identify the 2nd-stage downloader. Background Earlier this week I was tagged in a tweet from John Lambert (a “Distinguished Engineer” at Microsoft’s Threat Intelligence Center): This #bitcoin interview lure macro doc does not infect any version of Office for Windows.

continue reading

November 29, 2018

[0day] Mojave's Sandbox is Leaky

In this short blog post, we’ll detail a trivially exploitable privacy issue that despite Apple’s (rather feeble) attempts, allows sandboxed applications to surreptitiously spy on unsuspecting users. Note: This issue was originally disclosed (by yours truly) at Objective-See’s Mac Security Conference: “Objective by the Sea”. This blog post dives more deeply into the technical details of the flaw. Slides from the talk: “Protecting the Garden of Eden” Background From a security and privacy point of view, sandboxes are an excellent idea.

continue reading

August 30, 2018

Remote Mac Exploitation Via Custom URL Schemes

Background In recent blog posts we’ve discussed vulnerabilities or flaws in macOS that allow malicious code to perform all sorts of nefarious actions such as: bypassing SIP, approving kernel extensions, dumping the keychain and much much more! However, exploiting these flaws all require that the malicious code has (somehow) already gained initial code-execution on the targeted system. In other words they are local attacks, which generally would be used in the 2nd-stage of an offensive cyber operation.

continue reading

August 27, 2018

Synthetic Reality


Imagine you’re an attacker (or piece of malware) that’s successfully just gained access to a Mac. Hooray!

You probably want to do things like:

  • dump the user’s keychain
  • determine the system’s (geo)location
  • enumerate the user’s contacts
  • load a kernel extension (kext)
  • bypass 3rd-party security products

continue reading

July 18, 2018

DefCon26 Ticket & T-Shirt Giveaway on Twitter

Follow @digita_security and Retweet our #SaveYourMac promotion between July 18th and July 22nd for a chance to win a ticket to DefCon26 Security Conference!

Digita will additionally give away a select number of “SaveYourMac” t-shirts, like this one worn by our Chief Research Officer @patrickwardle as he slowly makes his way to speak at DefCon! 🐫 🤣

continue reading

February 19, 2018

Tearing Apart the Undetected (OSX)Coldroot RAT

Patrick has always said he likes his tools open source! Follow along as he uncovers and analyzes an undetected cross-platform “Remote Administration Tool”, complete with tracing its origins to a github repository and a publicly available YouTube demo 😮

While the intent of the author, how the sample ended up on VT, and if users have ever been targeted are not known at this time, the features and capabilities of malware are certainly present.

continue reading

February 5, 2018

Analyzing OSX/CreativeUpdater

More macOS malware! Once again tricking users into installing an infected application by leveraging a popular download site to gain trust. Read Patrick’s short blog post as he dissects the persistence mechanism for this cryptomining malware targeting macOS users.

continue reading

January 23, 2018

Analyzing CrossRAT

Follow along with Patrick at 40,000ft as he dives deeper into the capabilities of macOS malware first reported by Lookout/EFF in their Dark Caracul analysis. Want to interactively play along with his breakdown? Objective-See has shared the malware, which can be downloaded here – password: infect3d.

continue reading

January 2, 2018

Patrick Wardle Joins the Digita Family!

(@patrickwardle) formally joins Digita Security as Co-Founder and Chief Research Officer Patrick is widely regarded as a top researcher in the fields of macOS security and malware analysis. He has been credited with numerous CVEs in core macOS components. Their subsequent fixes have improved macOS security for every user and have been rumored to have spawned a new phrase in Cupertino, “Getting Wardled”. This year Patrick’s research has been featured on CNN, Forbes, and the New York Times.

continue reading

October 9, 2017

High Sierra installer reverts XProtect rules

October 19th, 2017 Update: Apple has just silently pushed an updated XProtect configuration package that appears to address this issue. The package changes the receipt identifier that was the root cause of the problem. It does not change the configuration version number nor introduce any changes to XProtect rules. We’ve confirmed that previously ‘stuck’ machines are now updating properly. TLDR; High Sierra installer replaces XProtect config version 2095 with version 2094.

continue reading

September 20, 2017

import Foundation; print("Hello World!")

Welcome to the new Digita Security website. We are excited to start sharing our start-up journey. We hope you can tell from our new website launch that we have a passion for macOS, cyber-security, and product development. As long time Mac users and security professionals we recognize that we have a great opportunity to build native macOS security products. At Digita Security our primary goal is to improve the security of macOS users by developing high quality security products that are accessible to everybody.

continue reading