A handful of malware samples that emerged in 2021 demonstrated once again that Apple's technologies, while less prone to attack and compromise than Windows systems, are not invulnerable.
For the sixth year in a row, security researcher Patrick Wardle has released a list of all the new Mac malware threats that emerged over the course of a year. For each malware sample, Wardle identified the malware's infection vector, installation and persistence mechanisms, and other features, such as the purpose of the malware. A sample of each new Mac malware sample that surfaced last year is available on his website.
His list is designed to give security professionals a better understanding of threats targeting macOS at a time when the technology has begun making inroads into the enterprise — propelled largely by remote workers. A survey of 300 IT professionals, commissioned by mobile device management vendor Kandji last year, showed Apple device use had grown at 76% of organizations over the past two years. Fifty-three percent reported that requests for Apple devices at grown at their organization over the same period.
Wardle's list is comprised of eight new malware samples that surfaced in 2021 and target macOS. Among them are ElectroRAT, a cross-platform remote access trojan that emerged last January; Silver Sparrow, a malware tool specifically targeted at Apple's M1 chip launched last year; XLoader, a cross-platform password stealer; and OSX.CDDS or MacMa, a macOS implant likely developed by a nation-state actor.
Different antivirus and security firms discovered each of the malware samples. Intezer, for instance, uncovered ElectroRAT when investigating a wide-ranging cryptocurrency operation in January 2020. At the time, the company described ElectroRAT as a rare example of a malware tool that had been developed from scratch and was used to target Windows, Linux, and macOS environments.
Red Canary reported Silver Sparrow last February as a binary compiled specifically to run on Apple's then-new M1 chips. The security vendor said some 29,139 Mac endpoints had been affected by the malware installer, which however, carried no payload. Researchers from Check Point who uncovered XLoader discovered it to be a version of a well-known information stealer called Formbook that had been rewritten for macOS.
Members of Google's threat analysis group discovered MacMa (OSX.CDDS) when investigating sophisticated watering hole attacks targeting visitors to the Hong Kong websites of a media outlet and a pro-democracy group. The researchers discovered the attackers exploiting a zero-day privilege escalation vulnerability (CVE-2021-30869) in macOS Catalina, to drop the MacMa backdoor. Based on the quality of the payload code, Google assessed the malware to be the work of a well-resourced and likely state-backed threat actor.
The other malware samples Wardle listed in his round-up were XcodeSpy, which targeted Xcode developers with a backdoor called EggShell; ElectrumStealer, a cryptocurrency mining tool that Apple inadvertently signed digitally; WildPressure, a cross-platform Python backdoor that Kaspersky found targeting industrial companies in the Middle East; and ZuRu, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems.
Willy Leichter, CMO at LogicHub, says the biggest Mac malware threats of last year fell under a handful of categories: cryptominers such as ElectroRAT and OSAMiner; adware loaders such as Silver Sparrow; information stealers such asXloader and Macma; and cross-platform Trojans such as WildPressure.
"There is still a lingering misperception that Macs are inherently more secure than Windows systems, because of the raw numbers of attacks," Leichter says. That sentiment is largely a reflection of the current market share, where Windows still dominates. "Macs do have some security advantages, but these are becoming less significant because of two trends: malware is increasingly targeting browser plugins, not the underlying OS," he adds. In addition, he says, malware developers are increasingly creating cross-platform applications independent of the operating system.
Jaron Bradley, MacOS Detections Manager at Jamf, says one of the most notable developments on the Mac threat landscape in 2021 was the significant amount of effort that threat actors put into attacking Macs. This included finding new zero-day vulnerabilities and exploiting them to distribute Mac-specific malware, he says. As an example, Bradley points to a zero-day bypass (CVE-2021-30713) in Apple's Transparency Consent and Control (TCC) framework that attackers exploited to deliver malware called XCSSET.
"Malware implementing zero-day bypasses show us that attackers are getting more capable and knowledgeable about macOS," Bradley says. "Not only that, but it also shows us that they find value in actually taking the time to build these exploits into their tooling."
For the moment, at least, adware threats continue to be the most abundant malware on macOS, Bradley says. "However, over the course of 2021, we've also seen more sophisticated threats emerge with a distinct focus on setting up remote control of Macs via backdoors," he notes, pointing to ZuRu and OSX.CDDS as examples.
The trend requires organizations to pay closer attention to the macOS environment, he adds. "While many security organizations have in the past seen macOS and iOS as 'safe enough' with existing controls, attackers are now finding these devices lucrative targets," Bradley says. "Security teams need to start bringing their technical understanding of these platforms on par with other platforms so they can identify malicious behaviors and attacks."