Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Security Insights for Linux, macOS and Containers | malware

Finding OSX/CreativeUpdater malware with osquery

Finding OSX/CreativeUpdater malware with osquery

The first week of February 2018 has seen another piece of macOS malware —  CreativeUpdater malware. This time a cryptominer masquerading as several different software packages on the MacUpdate.com website. Again, even a few days later, a lot of endpoint solutions are not necessarily picking this up, looking at VirusTotal.

Finding OSX/MaMi with osquery

Finding OSX/MaMi with osquery

Seeing on Twitter that Patrick Wardle (a must follow for macOS security!) may have found his first piece of macOS malware for 2018, I eagerly flipped to his blog. Given that this is “new” malware on macOS, there is likely going to be a window between discovery and protection via A/V software.

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Update: Following this article's original publication, Apple released a somewhat confusing set of security updates, which invalidates some of the original content I had shared. I have posted a follow-up here and updated the version number in the determination query in this article.

Tuesday’s event of a vulnerability in macOS High Sierra (tagged #iamroot by some) was a great chance to explore the utility of using osquery in response to a previously unknown security threat. [See this post for other macos malware identification tips]

How to find malware on macs using osquery

How to find malware on macs using osquery

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle. 

Page 2 of 2: