Think You’re Safe with Apple? Hackers Use Mac Malware to Steal Data, Track Users


Think you're safe because you use a Mac? Two security researchers have released an extensive report warning that much of the macOS security is actually an assumption of greater protection against malware than it actually exists. While Windows attracts more malware campaigns, thanks to being the most-used desktop operating system, Mac isn't as safe as we may want to believe.

While documenting an unsophisticated piece of malware, researchers said that macOS users are actually at greater risk because of this assumed protection.

Attackers Are Exploiting an Apple iTunes Zero-Day Bug to Install Ransomware on Windows Machines

Much of the added security afforded to macOS users stems from an expectation of Windows by attackers and less readily-available remote access tools for the OS, rather than better in-built defenses.

Thus, macOS users are at risk of assuming greater protection against malware than actually exists, and could be more vulnerable as a result.

Security researchers also added that a growing number of human rights activists and dissidents opt for Apple devices, leading to targeted attacks by sophisticated threat groups.

It's not just Windows - Meet the latest Mac malware

Security researchers Claudio Guarnieri and Collin Anderson specialize in Iranian surveillance and espionage campaigns targeting human rights and civil society entities. The security research duo reported that a cyber espionage group linked to Iran has been using an unsophisticated piece of malware named MacDownloader to steal data from macOS computers.

MacDownloader was disguised as a Flash Player Update and a Bitdefender adware removal tool. This Mac malware was first spotted on a (fake) website of the US aerospace firm United Technologies Corporation. Researchers said the malware was created towards the end of 2016, and its code has been copied from other sources, revealing that this is probably the developer's first attempt at creating a Mac data-stealing malware.

Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.

The researchers said they knew the fake US aerospace website was previously used for Windows malware. However, responding to their changing environment with activists opting for Apple products, the same website was suddenly found serving Mac-specific malware. They added that while MacDownloader appears to be targeted at defense sector, it has been used against a human rights advocate.

Apple Introduces Activation Lock for Macs & Read-Only System Volume for Better Security with macOS Catalina 10.15

How MacDownloader works

The research team said that once the target downloads the update, the program connects to an external server, possibly to download more malware. MacDownloader steals some information from the system and sends it to a server. This data includes the contents of Mac's keychain folder and a list of installed applications.

MacDownloader also displays a fake System Preferences prompt asking for system's username and password.

Armed with the user’s credentials, the attackers would then be able to access the encrypted passwords stored within the Keychain database. While Chrome and Firefox do not store credentials in Keychain, Safari and macOS’s system service do save passwords to sites, remote file systems, encrypted drives, and other criteria resources there.

The report added that evidence links the latest Mac malware to Charming Kitten - also known as Newscaster and NewsBeef - a suspected Iranian threat actor known for harvesting information from its targets. The group gained notoriety a few years ago for posing as journalists to steal user credentials and corporate and personal emails of targets. These targets included political dissidents, US defense contractors, Congressional staff, journalists, and others from the NATO countries.