Is Mac malware evolving?

Mac malware is increasing in quantity, and many security researchers say it’s becoming more sophisticated as well. While some Mac users are still a bit blasé about the threats facing the platform, the last few weeks have provided two great examples of the evolution of Mac malware. In what follows, we’ll fill you in on the details, and offer some thoughts about what it all means for the future of macOS security.

Old malware, new delivery method

Security researchers at Intego recently spotted what seemed to be a new variant of Mac malware being distributed through malicious Google search results. Further analysis by SentinelOne’s Phil Stokes revealed that the malware in question was actually a dropper for a variant of the well-known VindInstaller adware (VindInstaller.B).

VindInstaller.B itself is nothing new, and displays many of the familiar characteristics of macOS adware: It collects information about the infected system, and then contacts a remote server in order to fetch adware and Potentially Unwanted Programs (PUPs) to serve to unsuspecting users in the hopes that they can be tricked into installing them.

But what’s interesting here is the way in which VindInstaller.B makes its way onto a victim’s computer. The original malicious file is disguised as a Flash installer, but in fact contains a bash shell script. A shell script is just a computer program that runs in a Unix command line interpreter like bash or zsh — but shell scripts can also be used by bad actors as a sneaky way of installing malicious software on a target system. 

In this example, instead of simply attempting to deliver the adware through a standard installer, shell commands are used to create a randomly named directory on the target system, and then feed embedded, compressed zip file data into two command line utilities that turn the data into a working installer for the adware. 

So why all the smoke and mirrors? Because malware that arrives via shell scripts is much harder for detection tools to spot, and is much easier to alter again and again in an attempt to stay one step ahead of threat hunters.

The increasing reliance on shell scripts to deliver Mac malware, nicely exemplified by this recent VindInstaller dropper, is just one example of how threat actors are adapting their tactics in order to stay relevant — and of how the macOS threat landscape is continuing to evolve. 

Ransomware for macOS?

Several macOS security researchers have been analyzing EvilQuest (sometimes called ThiefQuest or EffectiveIdiot), another recently discovered piece of Mac malware. EvilQuest is noteworthy for a couple of reasons, as we will see.

EvilQuest appears to be distributed via malicious installers for pirated versions of legitimate software programs, including the Little Snitch firewall app as well as the music production and DJ apps Ableton and Mixed In Key. 

At first glance, EvilQuest appeared to be ransomware for macOS — which in and of itself is notable, since Mac-specific ransomware is a relatively new phenomenon. However, the amount requested ($50) seemed strangely modest, and aspects of the malware’s code indicated that the authors had no intention of ever decrypting a victim’s files. Detailed analysis by Patrick Wardle and others soon began to suggest that EvilQuest was much more than just ransomware.

As it turns out, the malware contains sophisticated anti-detection capabilities as well as persistence mechanisms, and also has the ability to contact a command and control server to allow attackers to execute code on a compromised Mac. Moreover, EvilQuest was found to have the ability to replicate itself locally on an infected system — a genuinely “viral” behavior rarely seen in macOS malware. 

But the most dangerous aspect of EvilQuest is its ability to access and exfiltrate user data (in particular, files related to cryptocurrency wallets and keys). In fact, some have started to suspect that this is the true function of EvilQuest, and that the “ransom” aspect of this ransomware is nothing more than a red herring designed to distract the victim from what’s actually going on — namely, the theft of sensitive and potentially valuable data.

EvilQuest is still being analyzed by security researchers, but at this stage we know enough to say that this malware is an unusually well-crafted hybrid threat for macOS — indicating that concerns over the growing quality of Mac malware are well-founded.

The future of Mac malware

As Macs become more prevalent — especially in enterprise settings — they will be seen as increasingly attractive targets for malware authors. Higher stakes mean better players entering the game (something which we’ve already started to see with nation-state actors and APT groups targeting Apple platforms). The upshot is that in the future, average users will face an increased likelihood of encountering powerful and difficult-to-detect macOS malware. 

The good news is that the third-party macOS security research community is stronger than ever, and is working hard to better understand the threat landscape and develop new tools to protect Mac users. In addition, Apple’s built-in security features are well-designed and robust, which means that even “good” macOS malware will usually require some kind of user interaction in order to be effective. This is why community, education, and information sharing are crucial — and why we’ll continue to keep you up to speed on the changing face of macOS security.