Cyber espionage in the Middle East: unravelling OSX.WindTail

Thursday 3 October 16:00 - 16:30, Green room

Patrick Wardle (Jamf)



It's no secret that many nation-states possess offensive macOS cyber capabilities, though such capabilities are rarely publicly uncovered. However, when such tools are detected, they provide unparalleled insight into the operations and techniques utilized by advanced adversaries. In this talk, we'll comprehensively dissect one such tool: the first-stage macOS implant utilized by the WINDSHIFT APT group (who targeted individuals of a certain Middle-Eastern government). After analysing the malware's unique infection vector, we'll discuss its method of persistence, and capabilities. To conclude, we'll present heuristic methods of detection that can generically detect this, as well as other advanced macOS threats.

 

Patrick-Wardle-web.jpg

Patrick Wardle

Patrick Wardle is Chief Research Officer at Jamf and founder of Objective-See. Having worked at NASA and the NSA, as well as having presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0-days, analysing macOS malware and writing free open-source security tools to protect Mac users.

@patrickwardle



Back to VB2019 Programme page

Other VB2019 papers

Kimsuky group: tracking the king of the spear-phishing

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)

Threat Intelligence Practitioners' Summit - welcome & opening remarks followed by keynote: Fuelling AI with threat intelligence

Martijn Grooten (Virus Bulletin)
Mika Ståhlberg (F-Secure)

2,000 reactions to a malware attack - accidental study

Adam Haertle (BadCyber.com / ZaufanaTrzeciaStrona.pl)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.