WindShift APT

The myth that Mac computers don’t get viruses is just that: a myth. The reality is that Mac viruses are just less common. They still exist, but hacking groups don’t make creating them a priority. Every so often, though, a group like WindShift comes along.

WindShift is what is considered an APT (Advanced Persistent Threat). These are groups that security researchers are aware of and track. The infrastructure, tools, and targets of an APT are generally well-known because they are scrutinized so closely. Some groups are more stealthy and able to operate quietly without being tracked. It’s harder to keep an eye on those groups. WindShift is one of those groups and, according to researchers, has been operational since 2017 at the very earliest.

The WindShift APT primarily focuses on reconnaissance operations. The group has engaged with big targets like governments and organizations but also appears to go after specific targets chosen ahead of time. The interesting thing about their targets is that they seem completely unrelated. Cybersecurity researchers have yet to find a single connecting link between the targets. WindShift also takes a different approach than other groups. The group doesn’t rely as heavily on malware and ransomware to get the information they are after like other groups do. Instead, this APT uses sophisticated social engineering to obtain data from targets subtly. Most targets don’t even realize anything is wrong until it is too late.

It is thanks to this reliance on stealth that the group can carry out operations for extended periods of time without being caught. WindShift campaigns have been known to last months at a time. Experts suggest that some of the targets WindShift hit were observed for months before the group began any actual hacking operations. WindShift does this through the use of fake social media accounts, holding discussions with targets about relatable topics, and creating engaging content through fake publications. They connect with their targets to earn trust and make the actual attack phase easier.

The group also uses a range of analytical tools to study and observe individuals, including their browsing habits and interests. They can use this information to further their social engineering campaigns and gain even more knowledge. WindShift has used both publicly-available tools and utilities that they have made themselves. One way that the group gathers information about the things their targets like is to send them links to legitimate web pages.

The hackers will attempt to gain login credentials from a target once they have enough information to work with. The group has used Apple iCloud and Gmail, among others, to obtain credentials from their targets. The group sends their target a message alerting them that they need to reset their password. The target is sent to a page that appears legitimate but is a spoofed recovery page designed to steal information. If the target doesn’t fall for the trick, then WindShift moves on to hacking tools to get the information they want.

Outside of using publicly available tools, Windshift has created several custom hacking tools and threats, such as the following:

• WindDrop – A Trojan downloader designed for Windows systems, which was first spotted in 2018.
• WindTail – A malware designed for OSX systems, which collects specific filetypes or files that have certain names that fit its criteria. It also is capable of planting additional malware on the compromised system.
• WindTape – A backdoor Trojan designed for OSX systems that is able to take screenshots.

These tools have some advanced capabilities, such as being able to manipulate DNS settings and send users to different web pages. WindShift can control the internet connections of compromised systems and send them to other websites instead. These websites are designed to look just like the real thing and are used to obtain login credentials and additional information from targets.

WindShift APT is undoubtedly one of the more unusual hacking groups around. The group has a different approach to their targets and attacks than other known APTs. The group relies heavily on social engineering and primarily targets Mac computers. This is what makes them such an enigma in the hacking world. Security researchers are still trying to work out their operational procedures and motivations. Still, the group definitely proves that your Mac isn’t as immune to viruses as you think it is.