As MacOS Adoption Rises, the Malware Attacks Increase

The days in which Mac users could assume that they were operating one of the most secure OS in the market are over. Mac malware is on the rise and becoming more dangerous. Patrick Wardle, a researcher specializing in Apple security, recently concluded that new macOS malware specimens increased roughly 100% from 2022 to 2023, with ransomware, trojans, and backdoors being the top threats.

Following this trend, Bitdefender recently uncovered a new backdoor that shares similarities with the criminal groups BlackBasta and ALPHV/BlackCat. The new malware, Trojan.MAC.RustDoor has been hiding in the shadows,, running persistent attacks for the past three months, Bitdefender says.

Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender, spoke to Techopedia to explain why Apple users are in the cross hairs of cybercriminal gangs, and how bad actors are succeeding in breaching macOS systems.

“Macs have unfortunately become valuable targets because of their increased penetration in the enterprise. Some cybercrime groups are now attempting to carve a niche for themselves in the Mac space to move into other ecosystems because of fierce competition in the Windows landscape.”

Key Takeaways

  • Malware on macOS is evolving from adware to the more dangerous trojans, backdoors, and stealers.
  • Cybergangs such as Lazarus Group and infamous ransomware operators like BlackBasta and BlackCat are now linked to the new wave of attacks targeting macOS systems.
  • Impersonating popular apps and services, software releases and OS updates, zero-day vulnerabilities, and gaps in Mac users’ security awareness are the tools criminals leverage to succeed and breach into Apple territory.

Why Are Criminal Gangs Going After Mac Users?

Historically, the majority of malware has been mostly designed and coded to attack Windows OS. The reason for this is quite simple. Windows OS has been the most popular system in the world, holding above 70% of the global market share since 2013, as Statista reports. But over the same period, macOS adoption began to rise, especially in enterprises — where surveys suggest 22.4% of enterprise devices are MacOS.

Additionally, other factors are in play. Apple products have a mysticism about them. For example, Business Live research shows that more than half of those surveyed consider Apple devices “more expensive but worth the value“. Studies like these have been fueling a social perception that Mac users are high-value persons, attracting the interest of known cybergangs.

Latest Threats on MacOS

One of these gangs is the Lazarus Group — linked to North Korea — who last year launched a malware called KandyKorn targeting macOS users who worked in crypto and blockchain. Since then, several other new Mac malware have been spotted in the wild.

Advertisements

Now, Bitdefender presented evidence that strongly suggests that BlackBasta and BlackCat are also going into the Mac cyberattack market. Botezatu from Bitdefender explained to Techopedia why macOS malware is proliferating.

“As macOS has steadily gained ground in market share over the past few years, it has become much more attractive for cybercrime groups.

“‘Traditional’ macOS threats such as potentially unwanted apps (PUA) or aggressive adware have been surpassed in numbers by more devastating Trojans.”

The New Mac Rust Backdoor

Coded in Rust, a language that BlackCat has been using for years, the new Mac backdoor, discovered by Bitdefender, breaches into systems as a trojan. The attackers behind this campaign have created fake websites that lure potential victims into downloading a Mac update for Visual Studio — a popular software used to develop apps, web or desktop applications, and games.

Once victims download and install the malicious file, the installer creates a backdoor without the user ever knowing that his system has been breached and compromised.

This new malware is designed to steal files that are of specific extensions and sizes. It looks in the Documents and Desktop folders and on Notes, copies the files it wants to extract, then conceals them in a hidden folder and compresses them into a ZIP file, before finally sending them over to the attacker’s C2 server.

The installer runs an extraction with the sysctl command and the output of two other commands (pwd and hostname) to then submit them to the Register endpoint of the Control and Command server, and assign and receive a Victim ID.

Attackers use the Victim ID to communicate with the compromised macOS and then can take control of the computer remotely, gain information on the system, send and receive payloads, exchange information about tasks executed on the breached device, and steal files.

User Error and Hacking Tactics

Attackers are also leveraging the myths that users do not need macOS antivirus software, or are immune to malware.

The new Mac Rust backdoor attack, like other Mac attacks, can only be successful when Mac users visit malicious sites, do not check URLs, down software, files or apps from unverified sites, but once that has happened, they are free to operate without a second layer of security such as a trusted and professional anti-malware running in the background.

Even savvy users can be tricked into downloading and executing an infected file. For example, the Mac AMOS stealer recently updated itself pretending to be Slack, and the recent Trojan.MAC.RustDoor impersonates an update for Visual Studio. Criminals will continue using this tactic as long as they continue getting results. And Mac users’ security awareness can influence those results.

Signs That The New Backdoor is Linked To BlackCat

Bitdefender’s digital forensics shows that the Trojan.MAC.RustDoor is a new undocumented family of malware. However, despite not confidently attributing it to any known threat actors, the security company says several factors signal to BlackCat.

First of all, as mentioned, the backdoor is coded in Rust, a programming language used by BlackCat. Additionally, three out of the four command and control servers were previously associated with ransomware campaigns targeting Windows clients, BitDefender said.

Malware coded in Rust is stealthy and very evasive as the coding language is relatively new, and Rust security tools are not as adopted as other tools for other languages.

Unlike Python, which uses interpreters, Rust compiles directly to machine code, obscuring its intent.

BitDefender says that they have already discovered several different versions of the new backdoor.

Botezatu shared with Techopedia Bitdefender’s latest macOS Threat Landscape Report, adding:

“Apple finds itself consistently having to patch actively exploited vulnerabilities as threat actors employ social engineering vectors and spray-and-pray techniques,”

The Most Common Form of Mac Trojans

1. EvilQuest2. Generic Trojans3. Exploit Trojans4. Flashback5. Empire6. Shellcode7. Shlayer

EvilQuest

First discovered in mid-2020, EvilQuest remains the single most common Trojan targeting Macs, with a 52.7% share.

The malware bundles a ransomware component designed to encrypt and pilfer the victim’s files, as well as a keylogger to record keystrokes and steal personal or financial data.

While most antivirus vendors recognize and block EvilQuest, its continued abundance indicates that attackers are still using it in a spray-and-pray fashion, hoping to catch unprotected systems in their nets.

Generic Trojans

Twenty-two percent of detections include several Generic Trojans whose characteristics are similar, if not identical, and therefore don’t get their own name on the list.

Exploit Trojans

Taking third place with an 8.2% detection rate, Exploit Trojans leverage known / unpatched flaws in macOS and are designed to deploy timely payloads (additional malware components) without the user’s knowledge.

Exploit-centric Trojans present a real danger to users who don’t run an antivirus on their Mac or, as is typical, postpone installing their security patches from Apple.

Flashback

With a relatively small 2.7% detection rate, Flashback represents a type of Trojan that disguises itself as a legitimate app or installer (update) to trick users into running the threat with their own hands.

Flashback marked the beginning of sustained malware development for the Mac when it emerged more than a decade ago.

It’s enough to warrant it a mention as it still makes the rounds 12 years after it was originally detected by security researchers.

Empire

Empire is a partially defunct threat, but still emerges in BitDefender’s telemetry with a 2.6% detection rate years after inception. Its rapidly-deployable post-exploitation modules include keyloggers and data stealers, and it boasts adaptable communications to evade network detection.

Shellcode

Shellcode is an instruction set that can be leveraged to execute a command and take control of or exploit a vulnerable machine.

Trojans that run Shellcode on the target system to launch malware or download additional payloads had a considerably low detection rate of 1.9% during the tracked period (Jan-Dec 2022).

Shlayer

Typically disguised as installers and various cracking tools, Shlayer continues to emerge 1.4% of the time and delivers adware, unwanted applications, and promotes fake search engines. Most infections come from warez and torrent sites.

Constant Security Patches and Zero-Day Exploits

In the past six months, Apple has released over 60 security releases for all its devices — including Macs, iPhones, iPads, and the Apple Watch. Twenty-eight of those security patches were released in the past three months, some of these rushed to patch critical security vulnerabilities as new OSs were rolled out.

The rate of modern software development, app releases, and updates is fast-paced, and security patches are not uncommon. They affect all software companies, not just Apple. However, for cybercriminals, new software and OS are a golden opportunity to exploit, and zero-day exploits are trending in the underground criminal world.

The report adds that black hat hackers are not just exploiting zero-day vulnerabilities but also users’ lax cybersecurity hygiene. Whether it be a trojan, a crypto jacker, a backdoor, or a ransomware attack on Mac, they are all triggered by human error.

Staying Safe from Trojans on a Mac

As worrying as the new wave of malware coded for Mac environments are, there are still several things users can do to keep secure.

Bitdefender’s report explains that malware such as trojans, which exploit unpatched vulnerabilities, are particularly dangerous for users who postpone installing Apple’s latest security patch. Therefore, keeping a Mac up to date is critical for its security.

Paying close attention to the URLs when visiting unknown sites is also important. Furthermore, all downloads should be done through legitimate and trusted sites. Users also need to be aware of the latest trends and techniques used by cybercriminals as they are constantly innovating and finding new ways to trick users.

Another technique that is gaining popularity is the use of fake ads on popular search engines like Google that criminals use to redirect victims to malicious phishing sites. Setting browser settings to the highest security levels and not ignoring a warning when a site is flagged as malicious is also important.

Finally, scanning a Mac regularly and investing in additional professional security always goes a long way.

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning, and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.