Spam Campaign Targets Exodus Mac Users
(Nov 2, 2018)
A phishing email campaign targeting Mac users has been observed by researchers at F-Secure that targets Exodus, a multi-cryptocurrency wallet. The phishing email appears to be an update for Exodus, containing an "Exodus-MacOS-1.64.1-update.zip" attachment. This fake update is attempting to update the user's version to 1.64.1 (the most recent legitimate version of Exodus is 1.63.1). If the user extracts the attached .zip file and runs the extracted application, it installs a type of spyware onto the infected machine. The spyware appears to originate from "realtime-spy-mac[.]com" which is a cloud-based surveillance and remote spy tool that allows for the threat actor to view images and data uploaded from the infected machine, as well as allows for keylogging abilities. It is unclear the scale of this campaign or if it was targeted in any way.
Recommendation: Attachments that request content to be enabled to properly view a document or require a .zip file to be extracted are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by an unknown sender should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Updates for any software or application will notify a user via legitimate channels, rather than emails containing a link or file, so it is smart to double-check the official sites regarding updates, before installing anything onto your machine.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.