Intego Mac Security Podcast

ShadowVault, WormGPT, and Apple’s Re-released Rapid Security Response – Intego Mac Podcast Episode 301

Posted on by

There’s new malware that’s supposedly in the wild, but no one has samples. Is it a threat? We also look at WormGPT, the evil twin of ChatGPT, Apple’s re-released Rapid Security Response, and Apple’s new ad about security and privacy features.


If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.

Intego Mac Podcast

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.


Transcript of Intego Mac Podcast episode 301

Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday July 20 2023.

This week’s Intego Mac podcast security headlines include: can malware that doesn’t actually appear in the wild still be considered threatening? Letting a disgruntled former employee keep access credentials to critical services leads to Joker-level hacking. Apple’s new ad touting its Mac and iOS security features is eight minutes long. Is it worth a look? Or two? And replaceable batteries will be coming to all phones in Europe by 2027. But how about in the US? Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn and Intego’s. Chief Security Analyst, Josh Long.

Kirk McElhearn 0:54
Good morning, Josh, how are you today?

Josh Long 0:56
I’m doing well. How are you? Kirk?

Apple released a corrected Rapid Security Response.

Kirk McElhearn 0:58
I’m doing just fine. I’m a little bit tired from all that celebration we did for our 300th episode. It’s taken me a week to get over that. But now we’re on the fourth 100 or the fourth century, if you’re a cricket fan, when they score 100 runs, they call that a century. So we’re on our fourth epoch. We’re going to start by talking about Apple’s Rapid Security Response, which we talked about in the last episode, and I think we talked about in the previous episode, I believe it was just after we finished recording last week that they released version “C” of this Rapid Security Response. And no news. Since then it seems to be working.

Josh Long 1:32
Right. Last week, we were talking about how they released “A”. “A” had some problems where some websites broke. In particular, it was Meta related websites like Facebook or something. I don’t think we talked about the reason why. But apparently the technical reason for it was that there’s this thing that browsers have called the user agent, which is how the browser identifies itself to a website that you’re visiting. And where Apple messed up was, if you had the latest version of macOS, or if you had iOS, and you installed this patch, the original “A” version of this patch, Safari would identify itself as Safari, parentheses “a” parentheses version number of Safari, and a lot of websites push content to you based on your browser’s user agent. And so it didn’t recognize that weird “a” in between there because it’s looking for a number. And so those websites that were specifically designed to render differently based on certain versions of Safari did not work properly. That’s why Apple had to rerelease this update. They did release it early, late in the day on the day that we recorded last week, of course, which was last Wednesday, July 12. So if you have not yet installed, by the way, nobody has any idea what happened to the “B” update. Kirk said something kind of funny to me about that.

Kirk McElhearn 2:57
I guess “B” didn’t work either. When you think about it’s a pretty dumb bug, right? Adding some random characters in the user agent. If you’re curious about user agents, you enable the Developer menu in Safari in Safari Settings. And then you choose Develop > User Agent. And what you’ll see is a list of potential user agents. So I’m seeing Safari 16.5.2, then you can choose Safari for iPhone, iPad mini and iPad, then you can choose Microsoft Edge, Google Chrome, Firefox, and there is an “Other” entry at the bottom of the menu. And if you choose that, you’ll see the exact user agent string. So for instance, here Mozilla slash 5.0, Macintosh, Intel, Mac OS X 1015, so et cetera. So it’s got a whole bunch of information. And the “A” must have gone someplace in the middle of that not in the short user agent string that you see in the menu.

What is Microsoft’s Llama 2 AI?

Kirk McElhearn 3:49
So AI is in the news. Again. We shouldn’t really call this AI anymore, we should call these things like ChatGPT…they should be called Large Language Models and Meta the company that was Facebook is helping us by releasing their own Large Language Model called Llama, LLAMA, L-A-M-A, etcetera. It’s going to be free and open source. I’m guessing that they trained it on all the stuff they got on Facebook. So this is going to probably be a Large Language Model trained on your aunt Edith’s Facebook feed with all the conspiracy theory posts that she makes. And when you try to use it, you’re gonna get conspiracy theories, because Large Language Models can be tweaked. And they can have different personalities. There’s one that Josh discovered called WormGPT. And I kind of like this because it’s an evil watch language model, isn’t it?

What is WormGPT?

Josh Long 4:41
Yeah, way back in January, I think we talked about how ChatGPT could be jailbroken, right. It’s designed to not allow you to do anything with malicious intent. And so they sort of keep trying to get ahead of the bad guys. There’s this cat and mouse game and the bad guys always finding some way to jailbreak ChatGPT to just sort of trick it into giving them information that they can use for malicious purposes. WormGPT is designed to just work around that altogether. It will take any prompt, whatever you want to give it, there’s no restrictions whatsoever. And it’s specially trained on data that include malware, like malicious code. So one of its primary uses is to be able to write malware without any restrictions whatsoever. And it’s trained on sources that know about malware. WormGPT. Another thing that we’ve got to deal with now. And this was to be expected, I mean, we knew something like this was going to come around eventually, because, well, it’s kind of obvious, right? If you’ve got ChatGPT out there, if it’s based on technologies that are partially open sourced, it’s only a matter of time before somebody makes a version like this.

Kirk McElhearn 5:55
In addition, WormGPT, according to an article on the Hacker News that I’ll link to in the show notes, can automate the creation of highly convincing fake emails personalized to the recipient, thus increasing the chances of success for the attack. And even beyond malware, this sort of scam email, or the voice scams that we’ve talked about. These are all things that are going to mean that we just can’t trust anyone. That we can’t trust what we see anymore. Now, you and I work, we work in security. And we’re aware of this, and we’re suspicious about everything. But this is a different level of suspicious, isn’t it?

Josh Long 6:28
Well, you do have to be more careful about things like emails that you’re getting now, because one of the telltale signs has always been, you know, if you’re good at grammar, you easily recognize the person who sent me this email is not very good at grammar. If it were a professional company actually sending me this email, they would have messed up on that. And this. So the problem is now you’ve got people who are actually writing these things using a GPT, or similar Large Language Model, which is trained on proper spelling and in multiple languages to, you can very easily generate a malicious email that you can use to trick somebody into giving up information. It’s something you have to be very careful about more so today than ever, because the bad guys are starting to use this not everybody’s using this, I still see a lot of spam with a lot of really bad typos and things like that. But the more clever ones are using GPT already.

ShadowVault is malware that evidently has not been deployed.

Kirk McElhearn 7:27
So apparently there is new Mac malware, but no one’s seen it. If Mac malware is out there, but it doesn’t do anything. Do we have to worry about it?

Josh Long 7:37
Well, it’s probably not something we have to worry about too much. But because there were headlines about this, I did write this up for the Mac security blog. So this alleged malware is called ShadowVault. And like several other things that we’ve seen recently, this is being sold on telegram. It’s a Russian speaking seller. We know they apparently speak Russian and English. And nobody in the industry has confirmed samples of this. It could be something that we’re already detecting, we just don’t know it, because we haven’t been able to get confirmed samples of this. So it’s one of those like awkward situations where the bad guy says that they’re selling this and they’re selling it for $500 a month. Well, you don’t want to give $500 to some possibly Russian based threat actor right who’s selling malware, you don’t want to give them money. At least nobody in the antivirus industry has given them money. So we don’t have any confirmed samples of it. It’s entirely possible that this is based on some existing open source stealer or keychain dumping malware, and Intego actually has recently added detection for some new malware of those types. So it could very well be that we’re already detecting ShadowVault. I’ve spent like the better part of the week putting this out there asking around in the community asking on social media and saying Does anybody have any samples of this and so far, nobody has come forward. It is out there. It’s probably not very widely distributed. And there’s a good chance that we’re already detecting it.

A phishing scam email contains a HTML file that may be tempting to click. Don’t!

Kirk McElhearn 9:09
We wanted to talk about a phishing email that I received about two weeks ago, it claims to be from American Express, and it says you have a new encrypted American Express file for review. But what I found surprising was that there was an HTML file attached to the email now, even though I have HTML emails displaying in mail on my Mac, I know you had that turned off. It didn’t display the file, it showed the file there. So you’ve got an encrypted American Express document and they expect you to double click on the file, which then takes you to the normal phishing page where you can log into American Express you enter your password, you enter your username and your password. I just tried now this whatever isn’t working anymore. So I guess so far, he’s probably trying to resolve it to the IP address in the document and it’s not working but if I look at it real quick look I can see the layout looks exactly like an American Express page. This isn’t that common to see HTML files and phishing emails is it.

Josh Long 10:07
It’s not something that I’ve seen a lot of. I have seen it in the past. But yeah, not a lot of that recently. And I think part of that is because spam filters, at least if you’re using a Gmail or one of the other big providers tend to be pretty good at identifying potentially malicious attachments. And so they’ll just send it to your spam folder, and you probably won’t even see it or notice that it’s there. This is interesting. It’s a technique that has been used in the past. And it’s just something to be aware of. So if you do get an email, and it may not necessarily be American Express, it could be something else. But if you get an email with an attached file, always be careful about that file. It could be overtly malicious, it could be something where they’re exploiting a vulnerability. Or in some cases, it could be something like this, where basically it will load in a browser, and it may have some embedded code so that if you fill out the form, or whatever it is, it’ll actually send it back to a phishing server. I think the reason that they did it this way, in this particular case, is they’re trying to work around the type of Phishing Filter that just blocks known phishing websites. And so they were like, well, if we just get them to load this in their browser, then we can work around that we can at least get them to that page initially. In this case, that second stage the site that it actually has to phone home to that apparently is offline at this point. I think it may have still been online though when Kirk first got this email.

Kirk McElhearn 11:35
Okay, let’s take a break. When we come back, we’re going to talk about a new Apple ad that is too long to watch.

Voice Over 11:42
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

What do you think of Apple’s new eight-minute ad incorporating many popular macOS and iOS security features?

Kirk McElhearn 12:58
So we’re recording this on July 19. An Apple just released a new ad called “Underdogs”. And the plot of this short film is someone is sitting outside in front of an office building on a busy street and she’s got her laptop or MacBook Pro sitting next to her and she turns around to talk to someone on the phone. I mean, come on. I grew up in New York, you don’t leave anything unattended like that. And she turns around, someone swipes it, but she’s gonna use fine my to chase after it and she gets a taxi. And that’s when I stopped watching. Because this ad is more than eight minutes long. I don’t understand how Apple expects people to want to watch this.

Josh Long 13:32
It is kind of funny to produce like a short film to show off all the features in your products. I did watch the whole thing because I thought well, we might talk about this on the podcast today. It wasn’t terrible. They use the same cast as some of the previous ads that they’ve done business related ads. So they had one I remember during COVID where everyone was working remotely. And so they were using FaceTime. And so they were advertising those kinds of features. FaceTime makes a reappearance. I’m not going to go through the whole ad. It was kind of interesting. I don’t know. It’s interesting, mostly just to see how all of these features can potentially work together. And they use I don’t know, probably a couple of dozen Apple features all throughout the ad. It works so seamlessly because all of the people who work together at this company all have iPhones. The other thing that’s kind of notable I would say about this ad is that the bad guys who stole her MacBook, took it to three different pawn shops. And they all basically said, this is a Mac I’m not gonna give you any money for this because it’s so ridiculous. Like nobody can break into a Mac. It’s got the Secure Enclave, one of them even mentions, anybody in the general public has ever heard of Secure Enclave. Anyway, it was kind of interesting. And if you really like Apple ads, get some popcorn because it’s eight minutes long.

Kirk McElhearn 14:58
So interestingly, the credits of this have listed starring security features Touch ID and Face ID, Find My, passwords and pass keys, Safari fraudulent website warning, end to end encryption, notify when left behind, MDM remote lock, MDM remote wipe, Secure Enclave and Family Sharing. Now, this is clearly targeting the enterprise market, because most people don’t know what MDM is. It’s Mobile Device Management, which big companies used to manage, you know, fleets of computers. So maybe it’s for IT managers who have a lot of time on their hands to watch something like this or, but then it’s also featuring Calendar and Siri and Messages and Safari and Apple Maps. And it’s like, they have stuck every single, I want to say mainstream Apple feature into this eight minute ad. But seriously, who is it for?

Josh Long 15:49
I don’t know. Anyway, let’s move on. Because it’s not too exciting to talk about an advertisement, just go watch it if you’re interested. And if not, well, you can live without it.

Malicious hacking by former employees who still have credentialed access.

Kirk McElhearn 15:58
Okay, so in today’s “News of the Real World is Like the Joker”: a former contractor accused of remotely accessing town’s water treatment facility. So basically someone worked for water treatment company and got fired or quit or whatever, but he still had access because you know what, they didn’t turn off his account. And he could have put anything in the water, he could have shut the water off. And this is actually quite serious, because we need water to survive, especially out where you are with the temperature is at a triple digits right now.

Josh Long 16:26
This is something that I think is worth bringing up here for two reasons. One is, well, just the human angle like awareness that something like this can happen. So it’s good to have, you know, emergency supplies on hand. You know, if you’re able to get a big barrel of water, or even just like cases of bottles of water or something to have on hand. And just in case of emergency, it’s a good idea to do that. But also, if you do run a business, or if you work in it, make sure that you’re actually disabling employees accounts when they leave the company, especially if you work in critical infrastructure, if you work in a water treatment facility. Yeah, this should be part of your standard practice, you definitely should not be allowing remote access to former employees to That’s just insane. It’s hard to believe something like that happened. But you know what, I’ve also worked in IT. And I’m not surprised that this happened. But it’s very disappointing, especially for something that’s so critical, like water treatment.

Kirk McElhearn 17:21
Well, it’s kind of funny, because last week, you convinced me to buy something on Amazon Prime Day on the second Amazon Prime Day, I’ll mention it, we’re not endorsing this at all what’s called the LifeStraw. It’s a water filter that you can use. And you can either suck it like a straw, which doesn’t look easy, or you can screw a water bottle in the top and squeeze through it. So I bought one to just have in the house in case what happens if the water gets shut off, and we need water. It’s really practical. And of course, here we have a water treatment facility that could get shut off. This is kind of like you’re looking for something you’re you’re looking on the web to shop for something and all of a sudden you see ads for it right? So I think since we talked about that LifeStraw, we saw something about this water treatment facility.

Apple announces new Beats Studio Pro headphones

Kirk McElhearn 18:04
Apple has a new product. It’s the first new product in this line in I think six years, it’s the New Beats Studio Pro headphones. If you’re familiar with Apple’s AirPods Max, which I really like, the Beats Studio Pro looks to be pretty much like the AirPods Max and of course, $200 less. It’s got personalized spatial audio. It’s got dynamic head tracking, active noise canceling, et cetera, et cetera, all the stuff that you’ve got in the AirPods Max, with a 40 hour battery life, that’s quite a lot. And it’s 200 bucks less. Josh, do you need new headphones?

Josh Long 18:39
I don’t. But if I were in the market for over the ear headphones, this is pretty interesting product. The thing that I’m most curious about is why is it $200? less like if it’s got all the same features, then like what incentive is there to get AirPods Max at this point?

Kirk McElhearn 18:58
None. In fact, you shouldn’t buy them if you need headphones. Now you will get the sort of Beat signature sound high in bass, but you have several options for sound profiles. They look like they’re all plastic, the AirPods Max the headphones in the band are the kind of aluminum, it doesn’t look like you can replace the ear pads on these, which you can on the AirPods Max, which is really clever. They just snap in magnetically. So it’s not exactly the same. But I would say that if you need something like this, it’s much better to buy this than the AirPods Max. Now, AirPods Max is two and a half years old. So we’re assuming there’ll be a new version. I’m not sure how popular they are. I know that when I was watching TED last so all the football players were wearing them because you know they’re all using iPhones and Apple products and all that but I don’t know if they’re really that popular outside. One thing I like on Apple’s page is it says they talk about upgraded voice targeting microphones. These powerful microphones actively filter out background noise to enhance the clarity of your voice up to 27% Better than beat studio three. How do they issue 20% better? What are they measuring? And the audio sound? I mean, in my experience, most of these headphones make phone calls sound really bad. I know that my basic AirPods people tell me they crackle a lot. I’ve never even tried with the AirPods Max. But this 27% better. I liked that number.

Josh Long 20:17
Yeah, well, maybe that’s why because they thought, oh, that sounds like a good number. What it probably is, is that whenever they do something like that, where it’s just sort of ambiguous, they’re probably testing a lot of little specific data points, and they pick out the best one, they’re like, Oh, that one’s 27%. Let’s say that.

European regulators will require all phones to utilize replaceable batteries as of 2027.

Kirk McElhearn 20:34
Well, speaking of 27, smartphones, who will need to have replaceable batteries by 2027. And this is, well, this is in Europe, of course. And Josh was saying before the show, maybe Apple is going to make a European iPhone and sell the normal iPhone around the world. You know what happens with this, once the Europeans come up with this regulation, everyone copies them, because they don’t have to do all the fact finding and the research and calculations. They’ve got all the data. And it’s really easy. So I’m pretty sure that we’re going to see this now. The rule is that they must have a battery that user can easily replace with no tools or expertise. And I kind of find this problematic. The real problem with an iPhone is that it is waterproof. So if it’s just something you know, Android, cheap Android phones, where you can just snap the battery out of the back. If it’s like that, then it’s not going to be waterproof anymore, is it?

Josh Long 21:23
Well, yeah, this this does sound problematic. It reminds me of the old days before I had an iPhone and I had, like, a Palm TREO type phone. Man, I don’t want to go back to those days. I mean, if Apple’s gonna have to make this device thicker, so that they’ve got a little door on the back or some other way to like detach the battery. Really? Do we have to go there? I get it, I get it. I know that these EU regulations are all about user serviceability and saving the environment. Instead of having to throw away an entire phone and get a new one. You just replace the battery yourself or you replace the screen yourself or you just use the same USB cable that you’ve got for all of your other products. And okay, well, I get I get the point. And I’m okay with USB-C even by the way, I know that’s probably coming on the next iPhone.

Kirk McElhearn 22:16
Oh, I want USB-C. Yeah, I want USB-C because we’re normalizing toward that. The new Beats Studio Pro has USB-C. Whereas the AirPods Max has a Lightning connector.

Josh Long 22:24
Yeah. But this one, I don’t know, this is a hard sell. Because in terms of product design, right, and being as thin as possible, and light as possible, I feel like this, this is a step backwards.

Kirk McElhearn 22:38
Okay. On the other hand, when you think about the environmental impact of all these batteries, and all these devices, there’s a movement here in the UK to ban disposable vape pens, because first of all, they’re mostly marketed to children, which isn’t really that good. And second of all, they’re disposable, and they have lithium ion batteries. And apparently there have been hundreds of fires and recycling centers. Over the past few years here in the UK, we had a very big fire in a recycling center near us and you know, black smoke billowing a couple miles away, it was huge. I don’t know if it was caused by that it was caused by some kind of battery. So these batteries, when they’re in piles of trash, it gets warm, and they can melt and they can explode. And so it’s the same thing for an old phone. You know, if a phone is really old, people might just throw it away after a few years. So the idea of them being more recyclable, and giving people the option to know that they can change the battery easily. Now, if you don’t know you can take your phone to an Apple Store and haven’t changed your battery first, I think it’s $69 depends on the model. So that’s always been available. I don’t think that’s too expensive for a phone that’s 800 or $1,000. So if your battery gets down after two or three years and doesn’t last very long. Take it to Apple in the meantime. By 2027 you’ll be able to buy a battery on Amazon and stick it in your iPhone.

Josh Long 23:55
Yeah,.See that…it makes me a little nervous to know if I like that if if people are able to just buy a battery from any old source. It could be a good thing if you’re buying it from a trusted vendor. But if you’re just buying any old knockoff battery on Amazon, I don’t know about that sounds like a bad idea.

Kirk McElhearn 24:13
Especially we know how “Scamazon” works with a lot of these third party things and we can’t trust them. I would buy the Apple battery from Amazon. I wouldn’t take a chance with a you know $20 Chinese battery from Amazon. I would pay Apple for Apple’s $50 Chinese battery. I wouldn’t buy the cheap one, but most people would buy the cheap one and of course there are risks with that too. Okay, one last story today Microsoft is scanning the inside of password protected zip files from malware. First time I heard that I was like I did a double take what how can they scan password protected zip files?

Microsoft has started to scan password-protected .zip files for badware.

Josh Long 24:47
And apparently this is also something that all of the Microsoft 365 cloud services are using this feature. So they started doing something where if there is a known password…. So for example, you can imagine like in sending an email to somebody and saying, I’ve attached this file, and the password is password, if you give the password in the email, then the AI whatever like that Microsoft is using can read that it can find that in the message and say, oh, okay, that’s the password. Now I’m going to use that to check for malware inside of this file. This is interesting, but also potentially problematic, because there are situations where you may actually want to have it password protected. And you may even want to include the password in that message. I remember back in the day, whenever I would find some new piece of malware that wasn’t widely detected, I used to have a giant list of email addresses for all the big antivirus vendors. And I would compose an email to them, send a password protected zip file with that piece of malware in it, and send it to all these different antivirus companies at once. I don’t know how many antivirus companies still do that if they still accept email submissions like that. But that was the standard practice. And then the antivirus company on the other end would extract the file, and it would be able to bypass whatever, you know, malware scanning filters there might have been in use on some system in between your email provider and theirs. So it was a way to make sure that malware would actually get to the to the antivirus vendor. You can’t really do that anymore, necessarily. If you’re using Microsoft products, it’s probably something that’s not terrible. It could potentially protect people. And that’s, I think, why Microsoft decided to go this direction. Interestingly, Microsoft doesn’t always err on the side of protecting people. There’s a lot of news stories this past week about how they’re deciding to not patch a bunch of pretty serious vulnerabilities because they’re afraid of breaking things. So I don’t know Microsoft is all over the place. Sometimes they’re overly protective. Sometimes they don’t protect nearly well enough.

Kirk McElhearn 27:09
Okay, I think that’s enough for this week. Until next week, Josh, stay secure.

Josh Long 27:13
All right, stay secure.

Voice Over 27:16
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →