MacOS - Malware in Safari Cache!
I was browsing some finance websites when I got a warning from my third-party anti-virus (not XProtect) that a ‘trojan.gen.npe’ had been detected and quarantined. I checked the activity logs and could see this had also happened 3 other times over the previous few days.
I was able to pin-point the webpage from the time stamps and put the URL through VirusTotal. I was hoping it was a false positive but unfortunately 42 vendor analysis showed it to be malicious and have malware.
Looks to be a drive-by-attack with malicious JavaScript being injected.
VirusTotal detected from URL:
GT.JS.Injection.2.1bd84588
JS/Agent.PHC
javascript.malware.injection
Trojan.JS.SubberWorm
Trojan.Malscript
HEUR.Trojan.Script.Generic
Unfortunately, I deleted the malicious files so could not upload them to VirusTotal.
The trojan was detected in Safari’s cache, I didn’t download anything or click on any ad’s, so it was malicious code within the webpage cached by Safari.
My questions are:
- Macbook is running MacOS Sonoma and is updated with the latest version. How is it susceptible to a drive-by-attack? Apple have patched Safari in previous OS releases to prevent this?
- Is Safari sandboxed? Can the trojan effect anything outside of Safari’s cache folder or is it containerised.
- How is the malicious code triggered, can it run outside of Safari?
- Why didn’t XProtect pick this up? Is it because it was just in the Safari cache and didn’t see it as a threat?
Any thoughts welcomed, thanks.
MacBook Air (M2, 2022)