GoKawiilAfter exclusively sharing details with 9to5Mac last September on ModStealer, a cross-platform infostealer invisible to every major antivirus engine at the time, Mosyle, a leader in Apple device management and security, is back with two more macOS threats that are flying completely under the radar.
In new details again shared with 9to5Mac, the Mosyle Security Research Team says it has identified two previously undetected samples: Phoenix Worm, a cross-platform stager, and ShadeStager, a modular macOS implant built for credential theft. The two aren’t directly connected in how they work, but together show just how sophisticated Mac malware is getting.
The timing here tracks with what the rest of the industry has been seeing. As I previously reported, infostealers and trojans like Atomic Stealer have been the dominant malware story on Mac for the past year, with attackers shifting away from noisy smash and grab attacks toward persistence. Phoenix Worm and ShadeStager are exactly that.
Phoenix Worm, a stealthy stager
Contrary to its name, Pheonix Worm is exactly the stager here. It’s a Golang-based multi-platform malware, built to act as a stager. Stagers are basically lightweight initial payloads that establish persistence and preps for a second wave of attacks. Rather than dropping the full payload up front, it quietly builds a foothold first. There’s many advantages to doing this.
According to Mosyle, Phoenix Worm’s core functionality includes:
Establishing communication with a remote command-and-control (C2) server
Generating unique identifiers for infected systems
Transmitting system data back to attackers
Supporting remote upgrades and additional payload execution
... continue reading