Intel471’s new report reveals macOS is increasingly targeted by threat actors, who develop specific malware for the operating system or use cross-platform languages to achieve their goals on macOS computers.
More macOS vulnerabilities are also being exploited in the wild. Malware and exploits might be used for both cybercrime and cyberespionage.
Between January 2023 and July 2024, the researchers observed more than 40 threat actors targeting macOS systems with different malware types, the most popular being infostealers and trojans.
Information stealer malwares — aka infostealers — are increasingly developed and deployed on all operating systems, and macOS is no exception.
According to cloud security company Uptycs, incidents involving infostealers doubled in the first quarter of 2023 when compared with the same period in 2022. Cybersecurity company Group-IB also reports a fivefold rise in underground sales related to macOS infostealers.
Such software is used by cybercriminals to steal log-in credentials, session cookies enabling authentication without credentials, and more data such as credit card information or cryptocurrency wallets. The software is also widely used by initial access brokers, who collect valid credentials, most often from companies rather than individuals, and sell them to other cybercriminals.
Atomic Stealer — also called Atomic macOS Stealer or AMOS — is one of the most popular macOS infostealers since 2023. It is designed to steal credentials and cryptocurrency wallet data from macOS devices and browsers.
Yet multiple cybercriminals operate or advertise other infostealers targeting macOS. A threat actor nicknamed codehex advertised for a macOS infostealer dubbed ShadowVault, capable of stealing data from various Chrome-based browsers, files stored on compromised computers, and data from cryptocurrency wallets.
The malware operators could also sign it with an Apple developer signature, making its detection harder for security software. The malware was sold at a monthly price of $500 under a Malware-as-a-Service (MaaS) business model.
Another more expensive infostealer, Quark Lab, with capabilities to steal keychain passwords from systems as well as cryptocurrency wallets and popular browser information, was sold for $3,000 per month.
Remote access trojans are another popular category of malware increasingly deployed on macOS.
RustDoor, a macOS malware developed in RUST and possibly tied to a ransomware threat actor, provides several functionalities to its controller:
This makes it a unique tool for both cyberespionage and cybercrime threat actors. Rust programming language has become more popular among malware developers, as it is a cross-platform language that allows a developer to easily port code into any operating system.
As written by Intel471, “the appearance of macOS ransomware raises concerns since it demonstrates threat actors seeking new avenues to compromise Apple users.”
In April 2023, security researchers discovered a new encryptor for the infamous LockBit ransomware, which targeted macOS devices, including newer macOS systems running on Apple Silicon.
In late 2023 came another less-advanced ransomware, dubbed Turtle, and developed once again in a cross-platform programming language, Golang, aka Go. The malware was only signed ad hoc and not notarized, making it detectable by Gatekeeper, as explained by expert security researcher Patrick Wardle.
The number of macOS vulnerabilities exploited in 2023 increased by more than 30%, according to patch management software company Action1.
Additionally, Intel471 found 69 vulnerabilities that impacted multiple versions of macOS from March 2020 to July 2024, with more than 10 vulnerabilities ranked at a high-risk level. Some of these vulnerabilities have been exploited by cyberespionage threat actors.
CVE-2023-41993, an unspecified vulnerability targeting multiple versions of macOS, was exploited to install Cytrox’s Predator spyware that was sold to multiple state-sponsored organizations worldwide.
Threat actors also exploited CVE-2023-41064, a buffer-overflow vulnerability. The cyberespionage threat actor sold its spyware to state-sponsored organizations.
A cybercriminal nicknamed oDmC3oJrrSuZLhp offered to sell an exploit on an underground forum for $2.7 million for the CVE-2022-32893 vulnerability, which allows an attacker to execute arbitrary code on targeted systems.
While different spyware providers have sold their services to state-sponsored threat actors, some of these threat actors do develop malware and tools aimed at macOS.
North Korean threat actor BlueNoroff, for example, has developed a malicious loader known as RustBucket, developed for macOS and aimed at targeting financial institutions whose activities are related to cryptocurrencies.
The group also targets individuals holding cryptocurrency assets, with the ultimate goal of stealing all the crypto money from targeted wallets.
Russian threat actors APT28, part of the Russian Main Directorate of the General Staff of the Armed Forces, and APT29, part of Russia’s Foreign Intelligence Service, have also used macOS malware.
The XAgent modular backdoor used by APT28 has been around for many years and included a macOS version, allowing it to steal data from compromised macOS systems, including iOS backups containing messages, contacts, voicemail, call histories, notes, and calendars. APT29 used the no-longer-supported Empire cross-platform remote administration and post-exploitation framework, enabling targeting of macOS.
Vietnam-based threat actor APT32 also deployed a macOS backdoor used for targeting different organizations.
macOS systems must always be up to date and patched to avoid being compromised by common vulnerabilities.
Security software should be deployed on the systems to detect malware and suspicious activities. E-mail security solutions should also be used since a lot of the initial compromise is spread via phishing emails.
Finally, all employees need to be trained to detect potential social engineering techniques used in emails or instant messaging tools.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.