Apple’s YARA rules dubbed the malware ‘Honkbox’ ( aka HONKBOX, but we’ll spare your eyes). The new signatures departed from Apple’s recent practice and used human-readable malware names instead of their usual short base 16 strings. In this post, we describe Honkbox from a threat hunter’s point of view, providing a comprehensive breakdown of file characteristics, unique behavior and sample hashes that analysts and SOC teams can ingest to further aid their detection and response.Īpple updated XProtect last week in light of a publication by researchers at Jamf describing a known but relatively undocumented macOS malware. Honkbox is an active threat with at least three variants and multiple components, some of which have not been previously documented. Apple’s update comes on the back of new research from Jamf, which itself builds on earlier research from other sources. Version 2166 added several new signatures for a threat it labels “Honkbox”, a cryptominer characterized by its leverage of XMRig and the “Invisible Internet Project” ( aka I2P). For the first time since November 2022, Apple last week released an update to its internal YARA-based malware file blocking service, XProtect.
0 kommentar(er)
