WindTail

WindTail is macOS-based spyware that collects files of specified formats from the user's drives, such as documents. Its campaign has close ties to the WindShift APT and its traditional infection methods, such as e-mail phishing lures. Users should monitor their downloading and browsing habits for risks that could expose them to this threat and have proper anti-malware tools to remove WindTail immediately in all cases.

Losing Your Work to a Sharp Burst of Wind

With espionage operations breaching targets in both Middle Eastern government networks and sensitive infrastructure companies, WindShift APT is proving its worth in the area of intelligence-gathering hackings. While many of their tools are highly-sophisticated, one of their custom ones, WindTail, is a representation of a relatively primitive application that, nonetheless, can get away with leaking broad and sensitive information. WindTail also has value as a demonstration of just how weak macOS's default defenses are against attackers who know their way around the system's assumptions about processing files and URLs.

Most attacks by the WindShift threat actor begin with e-mail messages conveying links or attachments, ostensibly, to workplace documents such as memos or reports. Although the execution requires victim permission on modernized builds of the Safari browser, WindTail's ZIP-based installer disguises itself as a document with fake names and icons and bypasses both XProtect and Gatekeeper due to omitting the necessary LSQuarantineAgents bit opening allowance alert also may use misleading filenames due to being attacker-specified.

WindTail uses a surprisingly blunt persistence method that entails visible library and login items, usually, with the same 'workplace document' themes. Malware researchers are classifying it as being spyware, thanks to its further attacks, which focus on data exfiltration. WindTail numerates directories and determines the presence of files like RTF or DOC documents. It, then, archives and uploads each file to WindShift's Command & Control server, providing the hackers with a potentially-enormous haul of data.

Some Adequate Wind Protection from Intel Op Hackers

Many parts of WindTail's structure suggest that the WindShift APT concerns itself with evading automated detection features, as WindTail has been doing for at least four months. The Trojan obfuscates its C&C network contacts and uses living-off-the-land strategies with macOS features for its data-archiving and uploading needs. Despite these precautions, WindTail is more vulnerable than most spyware to visual observation. Current samples display visible, albeit misleading, entries for login items and library entries.

WindTail's infection vectors highlight the unreliability of XProtect and other, default macOS defenses. Users should inspect website links and downloads carefully before opening them and remain attentive to all possible signs of phishing attacks, which are the infection vectors de rigeueur against governments and companies in sectors such as power and news media. As usual, the same infection vectors also may drop other threats for supplementing WindTail's theft of data.

Currently, AV vendors are updating their databases for blacklisting WindShift APT domains and detecting this spyware heuristically. Users should always employ anti-malware services, when available, for deleting WindTail and disinfecting the system of all other possible threats.

WindTail is a somewhat brute-force instrument, for spyware that's ordinarily so subtle amount of content it can upload to an attacker's server in even a short time isn't anything to underestimate, however, and all workers shouldn't depend too strongly on macOS, by itself, for their privacy.