The Rising Threat of Malware on macOS: Insights from Intel471’s Latest Report

In a world increasingly reliant on technology, the security of our devices has never been more critical. A recent report by Intel471 has shed light on a concerning trend: macOS is becoming a prime target for threat actors. This article delves into the findings of the report, exploring the various types of malware targeting macOS, the vulnerabilities being exploited, and the implications for users and organizations alike.

The Surge of Malware Targeting macOS

Between January 2023 and July 2024, Intel471’s research identified over 40 distinct threat actors focusing on macOS systems, deploying a variety of malware types. Notably, infostealers and trojans emerged as the most prevalent forms of malware, indicating a shift in the cyber threat landscape.

Infostealers: The New Age of Data Theft

Infostealers, or information-stealing malware, have seen a dramatic increase in development and deployment across all operating systems, including macOS. According to Uptycs, incidents involving infostealers doubled in the first quarter of 2023 compared to the same period in 2022. Group-IB reported a staggering fivefold increase in underground sales of macOS infostealers.

These malicious programs are designed to harvest sensitive information, including login credentials, session cookies, and financial data such as credit card information and cryptocurrency wallet details. They are particularly favored by initial access brokers, who gather valid credentials from companies and sell them to other cybercriminals.

One of the most notorious macOS infostealers is Atomic Stealer (also known as Atomic macOS Stealer or AMOS), which has gained popularity for its ability to extract credentials and cryptocurrency wallet data from macOS devices. Other notable infostealers include ShadowVault, advertised by a threat actor named codehex, and Quark Lab, which boasts advanced capabilities for stealing keychain passwords and browser information.

Trojans: Remote Access and Control

Remote access trojans (RATs) are another category of malware increasingly targeting macOS. One such example is RustDoor, developed in the Rust programming language, which allows attackers to execute remote commands, manipulate files, and collect system information. The versatility of Rust as a cross-platform language makes it an attractive choice for malware developers, enabling them to easily port their code across different operating systems.

Ransomware: A Growing Concern

The emergence of ransomware targeting macOS is particularly alarming. Intel471 notes that the rise of macOS ransomware signifies a new frontier for threat actors seeking to compromise Apple users. In April 2023, researchers discovered a new encryptor for the infamous LockBit ransomware, specifically targeting macOS devices, including those running on Apple Silicon. Another less sophisticated ransomware variant, Turtle, was developed in Golang and was found to be detectable by macOS’s Gatekeeper due to its lack of notarization.

Exploited Vulnerabilities: A Growing List

The number of macOS vulnerabilities exploited in 2023 surged by over 30%, according to Action1, a patch management software company. Intel471 identified 69 vulnerabilities affecting multiple versions of macOS from March 2020 to July 2024, with more than ten classified as high-risk. Some of these vulnerabilities have been leveraged by cyberespionage actors.

For instance, CVE-2023-41993 was exploited to install Cytrox’s Predator spyware, which has been sold to various state-sponsored organizations. Similarly, CVE-2023-41064, a buffer overflow vulnerability, was used by cyberespionage actors to deploy spyware. The underground market for exploits is thriving, with one cybercriminal offering a high-value exploit for CVE-2022-32893 for a staggering $2.7 million.

State-Sponsored Threat Actors: A New Dimension of Risk

State-sponsored threat actors are also increasingly developing malware aimed at macOS. North Korean group BlueNoroff has created a malicious loader called RustBucket, targeting financial institutions involved with cryptocurrencies. Russian threat actors, including APT28 and APT29, have utilized macOS malware to steal sensitive data from compromised systems. APT28’s XAgent backdoor, for example, has been used for years to extract data from macOS systems, while APT29 has employed the Empire framework for remote administration.

Protecting Against macOS Threats

Given the rising tide of malware targeting macOS, it is imperative for users and organizations to take proactive measures to safeguard their systems. Here are some essential steps to consider:

1. Keep Systems Updated: Regularly update macOS and all installed applications to patch vulnerabilities and protect against exploits.

2. Deploy Security Software: Utilize reputable security software to detect and mitigate malware threats and suspicious activities.

3. Email Security Solutions: Implement email security measures to combat phishing attacks, which are often the initial vector for malware infections.

4. Employee Training: Educate employees on recognizing social engineering tactics and potential threats in emails and instant messaging.

Conclusion

The findings from Intel471’s report underscore the urgent need for heightened awareness and robust security measures among macOS users. As threat actors increasingly target this operating system, understanding the nature of these threats and taking proactive steps to mitigate risks is essential. By staying informed and vigilant, users can better protect themselves against the evolving landscape of cyber threats.