SecureMac, Inc.

Checklist 71: 2017 Security Review Part One

January 11, 2018

For this, Episode 71 of The Checklist, we sat down during the first week of January 2018 to put a magnifying glass over the year that just ended. For part one of our discussion, we’re taking an in-depth look at the biggest security issues that affected macOS and iOS in 2017. With so many things going on — and there were quite a lot — it can be tough to remember all the details. To start our recap, we’ll go all the way back to this time one year ago: the beginning of January.

Checklist 71: 2017 Security Review Part One

What was the biggest story about computer security to hit the news in 2017? It’s hard to pick just one — it’s safe to say it was a massive year for developments in the security sector, and many of these stories brought a growing awareness of digital security to the public. For this, Episode 71 of The Checklist, we sat down during the first week of January 2018 to put a magnifying glass over the year that just ended. For part one of our discussion, we’re taking an in-depth look at the biggest security issues that affected macOS and iOS in 2017. With so many things going on — and there were quite a lot — it can be tough to remember all the details. To start our recap, we’ll go all the way back to this time one year ago: the beginning of January.

2017 in macOS Security

We started the year off with some startling news: the discovery of the so-called Fruitfly backdoor. This one appeared very early in January, and it seemed to be purpose-built for corporate espionage. That’s not to say it wasn’t a very sophisticated piece of malware; in fact, it appeared to be rather old. However, it contained code meant for capturing screenshots, taking over a user’s webcam to snap pictures and some other features.

Infected Macs would also allow it to probe and map network connections, eventually spreading over to other devices. With built-in methods for communicating with a command and control server, along with remote control functionality, Fruitfly could let a hacker do a lot. Who created it, and what it was used for, remain a mystery. It was a sign of what was to come, though: a busy year with many new Mac malware discoveries.

MacDownloader came next, making a splash in early February with infections targeting defense industry individuals as well as human rights advocates. Its goal: steal user information and device login credentials by targeting the Keychain. In general, this was not something the average user would encounter. In fact, it seems it was part of a trend over the entire year where it seemed many of the new attacks, perhaps as much as 50% of them, were more focused and zeroed in on specific users. The other half was made up of more traditional scattershot approaches. Overall, though, MacDownloader’s low threat profile also made it much harder to detect at first.

That’s also a part of why it may have taken Fruitfly so long to receive attention. Under analysis, it was revealed that Fruitfly contained some pretty old code — methods for taking screenshots and more that relied on old, deprecated system calls. Because it was an innocuous and normal function, though, it didn’t throw up any red flags. This method of using benign functions for malicious purposes appeared in several more of 2017’s threats.

In fact, the next item on our list is another example of just such a technique. This one, dubbed merely “Downloader,” was discovered the same day as MacDownloader. It functioned in a much different manner, though, taking the form of a Microsoft Word macro. A macro is a simple script that uses a built-in Word functionality to allow users to record and playback sequences of actions automatically. It is meant to streamline workflows and offer convenience. Macros can be used maliciously, however. Arriving as an email attachment, a user who opened the Word file would receive a prompt asking them if they wished to accept the macros in the document. If they selected yes, the macro would execute — downloading more actual malware components and compromising the user’s machine. While it didn’t reach many Macs at all, it’s notable for exploiting an older, less-used attack vector.

One new sample of malware did reach many users and even ensnared some pretty high-profile victims. This was the Proton RAT (remote access tool), which also came out in February. Traditionally, RATs were used by system administrators for legitimate remote access purposes. Those might be installing updates or troubleshooting a difficult problem. Proton, on the other hand, was built specifically for nefarious purposes. Its author sold it off to hackers on the dark web, and the race was on to distribute it to vulnerable machines.

Once installed, Proton would allow an operator to monitor and record keystrokes, upload and download files from the machine, and generally exercise a full level of access and control. Perhaps the most notable incident involved the compromise of several download servers for popular Mac apps. The most visible occurrence concerned the widely-used video conversion software, Handbrake. A distribution server was hacked, and an infected version of the installer uploaded. Many users unknowingly installed malware, expecting Handbrake instead.

One notable victim was Panic, a software and game developer for the Mac that suffered a breach because of an infected Handbrake installation. Through the Proton RAT, the bad guys made off with the source code to a number of their apps. Luckily, this code was already in the process of an overhaul, so the long-term damage to the company was minimal. Still, it was a major showcase of what can go wrong.

XAgent, a derivative of a previously known piece of malware called Complex, also joined the crowd in February. Though this was another example of targeted espionage using malware, it was notable because its primary purpose was to seek out and exfiltrate information from iOS backups on the infected device. In addition, it would also attempt to steal specific files if present.

Rounding out an extremely active month was FileCoder, a malware that came packaged as a software cracker, the type used to bypass copy protection on popular software and games. Instead of unlocking the software you wanted to use, it would generate a random key and — surprise! — lock down your Mac to demand a ransom. However, FileCoder was not well-designed at all, and in fact, included no way to communicate with the hackers demanding the payment. If a user paid, they could never get the decryption key. While frustrating for those who were infected, word quickly spread that there was no way to recover a key, and discouraged more people from paying the ransom.

After all that, we got a bit of a breather as it wasn’t until April that the next notable item of Mac malware made the news. Simply called “Doc,” after its attack method, it was packaged into a ZIP file and sent as an email attachment. This email was a type of phishing campaign that informed users they were facing a tax problem, or that they had missed some kind of important payment. The attached file, the email claims, will tell you more.

Once downloaded and opened, Doc installed malware that would begin routing all a user’s Internet traffic through Tor, the onion routing software we’ve discussed on The Checklist a few times before. It would allow the attackers to become a “man in the middle,” intercepting and analyzing your web traffic for sensitive information and login credentials. A few days after Doc was discovered, researchers also described “Bella,” an open-sourced spin on Doc’s core functionality. Instead of installing and routing traffic through Tor, though, it merely pilfered any sensitive files and data it could find on a user’s Mac.

Moving into May, we saw an interesting development as a well-known form of Microsoft Windows spyware, called Snake, made the jump over to the Mac. Someone had made the specific effort to port this malware to an Apple platform. Again, though, this seemed to be a form of a targeted attack as on Windows it always focused on specific individuals. Most researchers attributed the appearance of Snake on macOS to entities linked to the Russian government. As an Advanced Persistent Threat, it’s not a significant concern to average users — but it did serve as a reminder to us all that macOS’s position on hackers’ targets lists is on the rise.

As June arrived, so did more malware — malware as a service, that is. This is part of a growing trend that has recently begun to influence Apple products, too. So, what happened? On the dark web, malware called MacSpy suddenly appeared for sale, and with a huge price tag to boot. Its author claimed it was undetectable and capable of taking control of Macs and performing an array of the usual creepy and invasive tricks. Also in June, MacRansom appeared for sale as well, possibly from the same author. Instead of being a spy tool, this was ransomware as a service. In both cases, the author offered to sell licenses to use the malware rather than access to the source code itself. Though both these services made waves in the news, it is still not clear if anyone purchased a license or attempted to use MacRansom and MacSpy. So far, if they have, they continue to fly under the radar. It may be something we’ll have to revisit later!

In August, Pwnet gave Mac gamers everywhere a headache. Disguised as a cheat program for the popular first-person shooter, Counter-Strike: Global Offensive, Pwnet didn’t give gamers the advantage they expected. Instead, it began to secretly use the system’s computing power to mine cryptocurrencies for its masters. In fact, crypto miners are a growing class of malware that we’ll undoubtedly see more of in 2018. Another miner, CPU Minerd, appeared in November of 2017 and disguised itself as a commonly pirated piece of software.

Because these miners eat up all your memory and CPU cycles, they can slow your machine to a crawl. We’ve even begun to see malvertising that involves mining code bundled directly into webpage ads. It is essentially like someone stealing your resources to use for their own enrichment. It may be better than having someone steal your personal information, but it’s still totally unwanted — and something that security researchers continue to work to combat.

Overall, that covers all the major threats we saw last year for macOS. It will be interesting to see whether 2018 follows the same pattern, with many new threats early, or if the year will chart a different course. However, Macs certainly aren’t the only Apple platforms of importance.

2017 in iOS Security

As central as the Mac is in the lives of many of our listeners, iOS devices, such as iPhones, are much more prevalent. The iPhone itself has become something of a cultural institution, after all. So, we’re also taking a quick look at some of the concerns that faced owners of these devices over the past year. What was 2017 like for the iOS user?

One of the first things we kicked off the year with was a unique and strange issue related to emojis. Though it was spread mostly by pranksters and individuals looking to cause trouble, it created a noticeable amount of disruption and even got Apple to issue a patch to fix the problem. Affecting users of iOS 10.0 and 10.1, it leveraged a problem the system had in creating a rainbow flag emoji by combining two into one. By hiding characters in between the emojis, iOS was unable to render an appropriate result — thus causing the device to lock up instantly. It would happen even if you didn’t open the message! After a few minutes, the device would recover, but it was easy to get stuck in a loop of freezes and crashes as some users sent out the string of emojis repeatedly. Thankfully, Apple was on the ball and patched the issue in iOS 10.2.

2017 had in store some interesting developments for the Secure Enclave, the much-touted encrypted coprocessor that makes TouchID and FaceID possible and safe. For the first time, we saw reports that its security may not be as unassailable as Apple has claimed. Since biometric data is one of the most identifiable and irreplaceable types of personal info out there, it is essential to weigh the potential security risks against the convenience of technologies such as fingerprint readers. That is why once your phone’s main CPU sends information about the fingerprint to the Secure Enclave, it cannot read any of the operations that occur within. Apple’s goal has always been to offer these services with as much peace of mind for the user as possible.

In September of last year, though, a hacker determined a method for accessing one of the encryption keys used in Secure Enclave’s digital communications. To pass the data required for authentication back and forth, your iOS device’s CPU and the Secure Enclave go through a very complex series of digital handshakes and key exchanges. By scrutinizing these interactions in detail, the hacker could create a tool that could extract just one of these keys. This key alone does not allow an attacker much of a foothold, and the amount of information it could unlock is relatively small. However, this experimental research does indicate that there may be potential avenues for uncovering vulnerabilities in Secure Enclave. Since any attack would have to go device by device, though, it’s not a widespread threat — just something to watch over over time.

We know that phishing has been on the rise everywhere, but 2017 saw more iOS users targeted by schemes and scams than ever. In fact, a proof of concept for a tricky phishing attack surfaced near the end of the year as well. In this case, it would spoof the actual pop-up notifications used by the system to fool the user into giving up critical information. This attack has a very limited scope, however, and no known incidents have occurred in the wild.

That’s not the end of the story for phishing on iOS. In December, we began hearing reports of a scheme that involves phone calls using spoofed numbers. If a user Googles the number, they’re likely to see that the calls appears to originate from a local Apple store. Upon answering the call, individuals hear a message that claims a virus has infected their phone and that assistance will be necessary to fix it; they then direct users to press 1 to accept the call. If they do, the individual connects to a phony tech support assistant. This person then directs the user to take actions on their device or Mac that would give them access to all their information. Obviously, Apple won’t be calling you — so be sure to hang up if you hear a suspicious message such as this.

Overall, while iOS did have its fair share of hiccups and issues that required patches in 2017, users remained generally secure from the most nefarious threats facing mobile users. That’s all the time we have for this week to cover topics for Part One of our 2017 Security Review, but we’ll be back again next week to dive into Part Two. There, we’ll look at some security “wins” and “fails” that Apple had, plus the emergence of some super-sized security threats.

We covered many of the topics we touched upon today as they happened last year. Want to go back and learn more about all that malware in our archives? You can easily find all the show notes for those episodes right here on our site.

Got a question, or want to share a topic with us that you’d like to hear about in the future? We’d love to hear from you. Just send us an email at and let us know what you’re thinking!

As always, thanks for listening to The Checklist, brought to you by SecureMac.

Get the latest security news and deals