Mac malware more than doubled in 2017

Apple Mac computers are traditionally considered to be less vulnerable to cyber attacks, but malware targeting their operating systems is on the rise, warns security firm Malwarebytes.

According to the firm’s statistics, Mac-specific malware increased by 270% in 2017 compared with 2016, and four new Mac threats were detected in the first two months of 2018.

The first of these, OSX.MaMi, was uncovered after a Malwarebytes forum contributor reported that his DNS settings had been changed and he was unable to change them back.

The malware that was discovered on his system acted to change these settings and ensure that they remained changed. It also installed a new trusted root certificate in the keychain in an apparent attempt to steal victims’ online account credentials.

These two actions are highly dangerous, said Thomas Reed, director of Mac and mobile at Malwarebytes. “By redirecting the computer’s DNS lookups to a malicious server, the hackers behind this malware could direct traffic to legitimate sites – such as bank sites, Amazon, Apple’s iCloud and Apple ID services – to malicious phishing sites, and the addition of a new certificate could be used to perform a “man-in-the-middle’ attack, making these phishing sites appear to be legitimate,” he wrote in a blog post.

The second Mac-specific malware was discovered via research into nation-state malware, called Dark Caracal, by Lookout. Researchers identified a new cross-platform RAT (remote access Trojan or backdoor), dubbed CrossRAT, that is capable of infecting Macs, among other systems. Written in Java, the malware  provided some basic remote backdoor access to infected Mac systems.  

“Although not very complete, this malware was only a version 0.1, indicating that it is probably in a very early stage of development,” said Reed. He noted that although Macs have not come with Java preinstalled for years, it is important to keep in mind that nation-state malware is often crafted and used with some knowledge of the target in mind.

“The targets intended to be infected with this malware may have had reason to have Java installed, or it may have been installed via physical or some other access by a hacker targeting specific individuals,” he said.

The third piece of Mac malware, named OSX.CreativeUpdate, was originally discovered through a supply chain attack involving the MacUpdate website. This website was hacked, and the download links for some popular Mac apps, including Firefox, were replaced with malicious links.

“These kinds of supply chain attacks are particularly dangerous, even capable of infecting savvy members of the development and security community, as was documented by Panic,” said Reed.

Users who downloaded the affected apps from MacUpdate ended up with lookalike malicious apps that had the same functionality as the legitimate app to cover up the malicious activity going on in the background.

This malware is designed to use the computer’s processor to mine monero cryptocurrency, a practice that is rapidly gaining popularity among cyber criminals seeking to hijack computing power to generate cryptocurrency to fund their operations.

Illicit cryptocurrency mining, or cryptojacking, often goes unnoticed by targeted organisations, that tend to ascribe the associated slowdown of their computers to other factors.

In addition to the performance impact, this type of malware has a number of other negative effects, including reduced battery life, increased usage of electricity, and even potential for overheating the computer and damaging the hardware, especially if the fans are not working at peak capacity or the vents are clogged with dust, said Reed.

NTT Security has urged businesses not to ignore cryptojacking because of the potential financial impact and reputational damage that can be caused, reporting that its researchers had identified about 12,000 monero mining malware samples dating back to March 2015, but with most appearing towards the end of 2017.

The most recent piece of Mac malware, OSX.Coldroot, is a generic backdoor providing access to the system. However, Reed notes that some aspects of its installation will fail on Mac OS version 10.11 or later, and because of bugs it will fail entirely on some systems.

“This malware didn’t seem like much of a threat, but it could still be dangerous on the right system,” he said.

Looking back at the past year, Reed said 2017 saw the appearance of many new backdoors, such as the now infamous Fruitfly malware, first documented by Malwarebytes, which was used by an Ohio man to capture personal data, even being used to generate child pornography.

In addition, he said, there is a rising threat of adware and PUPs (potentially unwanted programs), usually scam software masquerading as legitimate software.

“These kinds of threats have become extremely pervasive in the last few years, even invading the Mac App Store to such a degree that certain classes of software – such as antivirus or anti-adware software – in the App Store are almost entirely PUPs and cannot be trusted,” said Reed.

Unfortunately, many Mac users still have “serious misperceptions” about the security of Mac OS, he said, and because they believe there are no threats, they often do not exercise the same caution online that they would on computers running Windows.

“Apple’s Mac OS includes some good security features that are helpful, but they are easily bypassed by new malware, and they really don’t address the adware and PUP problem at all,” said Reed. “Mac OS cannot be considered bulletproof.”

In the light of this reality and the commercial opportunities it presents, Malwarebytes has developed malware protection for Macs and has extended its endpoint protection product to support Mac operating systems.

According to the security firm, its endpoint protection product uses machine learning for threat anomaly detection and includes a single dashboard to give visibility and security for all devices on the network.

It said the product also ensures PCI DSS (payment card industry data security standard) compliance in organisations that use Mac computers because it has been validated as a replacement for traditional antivirus systems.

“The landscape today is far from the homogeneous computing environment of a decade ago,” said Marcin Kleczynski, CEO of Malwarebytes. “Businesses are increasingly operating with a mix of Windows and Mac machines. Now organisations can ensure the sanctity and security of their operations with a solution that protects the business environment that exists today – with multiple operating systems at work under multiple roofs.”