New report from Intel471 reveals that macOS is increasingly targeted by threat actors, who develop malware specific to the operating system or use cross-platform languages to achieve their goals on macOS computers.
More macOS vulnerabilities are also being exploited. Malware and exploits could be used for both cybercrime and cyberespionage.
More malware than ever on macOS
Between January 2023 and July 2024, researchers observed over 40 threat actors targeting macOS systems with different types of malware, the most popular being infostealers and trojans.
Information thieves
Information-stealing malware (also known as infostealers) is increasingly being developed and deployed on all operating systems, and macOS is no exception.
According to cloud security firm Uptycs, incidents involving data stealers doubled in the first quarter of 2023 compared to the same period in 2022. Cybersecurity firm Group-IB also reports a fivefold increase in underground sales involving macOS data stealers.
Cybercriminals use this type of software to steal login credentials, session cookies that allow authentication without credentials, and other data such as credit card information or cryptocurrency wallets. The software is also widely used by initial access intermediaries, who collect valid credentials, usually from companies rather than individuals, and sell them to other cybercriminals.
Atomic Stealer, also called Atomic macOS Stealer or AMOS, is one of the most popular macOS information stealers since 2023. It is designed to steal cryptocurrency wallet credentials and data from macOS devices and browsers.
However, several cybercriminals operate or advertise other information stealers that target macOS. A threat actor nicknamed codehex advertised an information stealer for macOS called ShadowVault, capable of stealing data from various Chrome-based browsers, files stored on compromised computers, and cryptocurrency wallet data.
The malware's operators were also able to sign it with an Apple developer signature, making it difficult for security software to detect. The malware was sold for $500 per month under a Malware-as-a-Service (MaaS) business model.
Another more expensive data stealer, Quark Lab, with capabilities to steal passwords from system keychains as well as cryptocurrency wallets and information from popular browsers, sold for $3,000 per month.
Trojans
Remote Access Trojans are another popular category of malware that is increasingly being deployed on macOS.
RustDoor, a macOS malware developed at RUST and possibly linked to a ransomware threat actor, provides several functionalities to its driver:
- Execute remote commands.
- Manipulates files on compromised systems.
- Add more payloads.
- Collects system information.
This makes it a unique tool for both cyber espionage and cybercrime. The Rust programming language has become more popular among malware developers as it is a cross-platform language that allows a developer to easily port code to any operating system.
Ransomware
As Intel471 wrote, “The emergence of macOS ransomware is causing concern as it shows that threat actors are looking for new avenues to compromise Apple users.”
In April 2023, security researchers discovered a new encryptor for the infamous LockBit ransomware, which targeted macOS devices, including newer macOS systems running on Apple Silicon.
In late 2023, another less advanced ransomware appeared, dubbed Turtle, once again developed in a cross-platform programming language, Golang, also known as Go. The malware was only signed ad hoc and was not certified, making it detectable by Gatekeeper, as explained by security researcher Patrick Wardle.
Exploited vulnerabilities
The number of macOS vulnerabilities exploited in 2023 increased by more than 30%, according to patch management software firm Action1.
Additionally, Intel471 found 69 vulnerabilities affecting various macOS versions from March 2020 to July 2024, with more than 10 vulnerabilities classified as high risk. Some of these vulnerabilities have been exploited by cyber espionage threat actors.
CVE-2023-41993, an unspecified vulnerability affecting multiple versions of macOS, was exploited to install Cytrox's Predator spyware, which was sold to several state-sponsored organizations around the world.
Threat actors also exploited CVE-2023-41064, a buffer overflow vulnerability. The cyber espionage threat actor sold its spyware to state-sponsored organizations.
A cybercriminal nicknamed oDmC3oJrrSuZLhp offered to sell an exploit on an underground forum for $2.7 million for the CVE-2022-32893 vulnerability, which allows an attacker to execute arbitrary code on targeted systems.
State-sponsored threat actors
While different spyware vendors have sold their services to state-sponsored threat actors, some of these threat actors develop malware and tools targeting macOS.
North Korean threat actor BlueNoroff, for example, has developed a malicious loader known as RustBucket, developed for macOS and intended to attack financial institutions whose activities are related to cryptocurrencies.
The group also targets individuals who own cryptocurrency assets, with the ultimate goal of stealing all the crypto money from the targeted wallets.
Russian threat actors APT28, part of the Main Directorate of the General Staff of the Russian Armed Forces, and APT29, part of the Russian Foreign Intelligence Service, have also used macOS malware.
The modular XAgent backdoor used by APT28 has been around for many years and includes a version for macOS, allowing it to steal data from compromised macOS systems, including iOS backups containing messages, contacts, voicemail, call history, notes, and calendars. APT29 used the no-longer-supported Empire cross-platform remote administration and post-exploitation framework, allowing it to attack macOS.
Vietnam-based threat actor APT32 also deployed a macOS backdoor used to attack different organizations.
How to protect yourself from this threat
macOS systems should always be kept up to date and patched to avoid being affected by common vulnerabilities.
Security software should be implemented on systems to detect malware and suspicious activity. Email security solutions should also be used, as much of the initial vulnerability is spread through phishing emails.
Finally, all employees should be trained to detect potential social engineering techniques used in emails or instant messaging tools.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.
