Checklist 26: Recent Upswing in Mac Malware Activity
- Fruitfly (January 18th, 2017).
- MacDownloader (February 6th, 2017).
- Downloader Word Macro Malware (February 6th, 2017).
- Proton RAT (February 7th, 2017).
- XAgent: Komplex malware resurfaces (February 14th, 2017).
- Bonus Item: Steps you can take to minimize malware threats.
After a relatively quiet period over the last few months of 2016 as far as sightings of new Mac malware goes, 2017 has already reversed course with a plethora of newly discovered malware targeting Apple’s macOS. Some of these threats are brand new, unknown to security researchers prior to the past few weeks, while others appear to simply be new variants of previously identified malware. They range from simplistic and poorly coded all the way to professional-grade malware with dangerous capabilities. In today’s episode, we’re going to take a closer look at these new threats that have been spotted targeting Macs in the first few weeks of 2017. We’ll cover what each piece of malware does, where it comes from, and what level of risk it poses to Mac users.
Fruitfly (January 18th, 2017). The prize for the first new piece of Mac malware of 2017 goes to a threat dubbed Fruitfly by Apple. While the existence of this piece of malware was first brought to light about halfway through January, there are actually some indications that this particular threat might have been making the rounds for much, much longer than expected. First spotted by an IT administrator who noticed some weird network traffic coming from one of his Macs, the malware quickly caught the eye of the security industry.
What it does: The Fruitfly malware appears to be purpose-built for corporate espionage. It contains code to capture screenshots and access the webcam on an infected Mac, ways to map out and connect to other devices on the same network, basic remote-control functionality, with additional capabilities to communicate with a Command-and-Control (C&C) server. Malware normally communicates with C&C servers in order to download new malware components, upload pilfered data, and receive further instructions from the malware author.
Where it comes from: The Fruitfly malware was first identified in the wild in a biomedical research institution, but there is no specific indication for where it first came from. However, as security researchers analyzed the malware components, they discovered a number of indications that this malware has been around for quite some time. The code uses some really archaic system calls for capturing screenshots and accessing the webcam — both of which could be accomplished with much more modern and streamlined system calls. Additionally, other parts of the code reference old versions of macOS dating back to late 2014, and the creation date timestamp on one of the components goes back to January 2015. While file creation and modification dates can be easily changed, researchers also discovered some malware targeting Microsoft Windows that used the same C&C servers as Fruitfly on VirusTotal, which is a platform used by security professionals to share and analyze malware samples. Those Windows-based malware samples go all the way back to the summer of 2013.
User risk level: This is kind of a good news/bad news situation. The good news is that Apple quickly added protection to macOS against the Fruitfly malware. The bad news is that this threat might have been making the rounds for years. It does appear to have specifically been targeting biomedical research institutions, so it’s unlikely to have posed much risk to most users outside of those specific settings.
MacDownloader (February 6th, 2017). In early February, another new piece of Mac malware was discovered — this time targeting the defense industry as well as a human rights advocate. Posing as an installer for Adobe Flash Player as well as the BitDefender Adware Removal Tool, the threat turned out to be poorly written and consisted of bits and pieces of code from other sources that were cobbled together by the malware’s author.
What it does: MacDownloader’s primary purpose appears to be stealing information from an infected Mac, including the user’s keychain, along with their username and password.
Where it comes from: According to the security researchers who discovered this threat, the malware was first found on a website impersonating an aerospace firm. The website was previously used in similar spearphishing campaigns against the defense industry.
User risk level: The Command-and-Control servers used by this malware were quickly taken down, which, when coupled with the poorly written nature of the threat, broke the malware’s method of embedding itself on an infected computer. Additionally, given that the malware appeared to target very specific groups, it is unlikely to have ever been a problem for most users.
Downloader Word Macro Malware (February 6th, 2017). In a weird twist, another piece of Mac malware was discovered on the same day as the previously mentioned MacDownloader threat. In an even weirder twist, it has a very similar name: “Downloader.” Beyond that, however, the similarities end. Now, the similar name wasn’t meant to confuse people. Downloader isn’t a new piece of malware overall, just new in the sense that it’s now targeting Macs. It’s been making the rounds on Windows for a few years now.
What it does: Downloader arrives as an e-mail attachment in the form of a Microsoft Word document. When a user tries to open the attachment, an alert appears letting the user know that the Word document contains macros that need to be activated. Macros are a feature found in Microsoft Word that can automate various aspects of a Word document, and macros have previously been used to spread malware. The macro in this particular Word document actually executes a binary file, which in turn checks for the presence of Little Snitch (which could alert a user to the presence of a threat) and attempts to connect to a remote site to download the malware payload if Little Snitch isn’t present on the system.
Where it comes from: Downloader arrives as an e-mail attachment, and appears to be part of a phishing campaign.
User risk level: Fortunately, there are a number of hoops that a user must jump through in order to be infected by this particular piece of malware. First, they need to receive the phishing e-mail with the infected Word document attachment. Then, they need to actually open the e-mail and download the file. Then they need to actually have Microsoft Office installed on their system and attempt to actually open the Word document. Then they need to click a button to activate the embedded macros in the Word document. Then, they need to *not* be running Little Snitch on their system. Then, and only then, could they be fully infected with the payload. So the bottom line is: Don’t open attachments from strangers, and don’t activate macros when opening a Word document unless you’re absolutely positive the file is clean!
Proton RAT (February 7th, 2017). Remember on a previous episode when we said the Dark Web can be used for bad stuff? Case in point: The newly discovered Proton RAT comes from the Dark Web, and is being sold on one of the leading Russian cybercrime forums that exists there.
What it does: Proton RAT (which stands for Remote Access Tool) is being touted by the it’s author as completely undetectable, with a wide variety of features and capabilities. Some of the things this particular piece of malware can do includes monitoring keystrokes, uploading files to a remote machine, downloading files from a remote machine, remote control capabilities, taking screenshots, and accessing the webcam.
Where it comes from: This piece of malware is being sold on cybercrime forums found on the Dark Web.
User risk level: This is another one of those good news/bad news situations. The good news is that the initial high price of the malware (which was originally being sold for the equivalent of $100,000 USD, later lowered to about $40,000 USD) might have been enough to limit its use to very specific targeted attacks by bad guys with deep pockets. The bad news is that the author started offering it at a much lower price (roughly $200 USD) for use against a single Mac. The other bad news? The malware is signed by a valid Developer ID certificate from Apple, which means that Gatekeeper wouldn’t have initially been enough to stop this threat from running. On the plus side, Apple is aware of the threat and included detection capabilities in the latest update to XProtect, which is a built-in anti-malware feature in macOS. It’s also a good bet that Apple has revoked the Developer ID certificate used by the malware author. Still, this threat is definitely one to keep an eye on for further developments.
XAgent: Komplex malware resurfaces (February 14th, 2017). Valentine’s Day is generally known for hearts, flowers, and lovey-dovey greeting cards. It’s not normally known for Mac malware, but 2017 doesn’t appear to be a very normal year! The Komplex malware isn’t new, but this particular variant/component of it is.
What it does: The XAgent malware, which appears to be part of the well-known Komplex malware family, is once again the type of malware that appears to be used for targeted espionage. The malware checks for system hardware and software information, grabs a information on files and running processes, takes screenshots, and steals browser passwords stored in Firefox. It sends all that data to a remote Command-and-Control server. What sets this new component of Komplex apart is that it also checks for the presence of iOS device backups that were made through iTunes (and thus stored locally on the infected computer, rather than on Apple’s servers as is the case with iCloud backups). There is some debate as to whether or not the malware actually attempts to steal an entire iOS backup file, as those can be extremely large, or if it handles them on a case-by-case basis (iOS backups can be extracted into much smaller, easier-to-handle chunks of data, so the attacker might only need to grab the specific part of the backup that they’re interested in).
Where it comes from: The XAgent component of the Komplex malware is believed to come from a state-sponsored cyber espionage group in Russia. The same group was involved in the Democratic National Committee hack last year. Komplex was originally distributed as a malicious PDF document through spear-phishing attacks, and it is believed that the XAgent component is downloaded and installed on systems that were already infected with previous variants of the Komplex malware.
User risk level: The risk posed by XAgent can vary for each user, depending on their job or the industry they work in. Previously, Komplex has been known to target aerospace and defense corporations, the DNC, and other similar industries. Users in those types of industries should remain vigilant, as the threat posed by XAgent and Komplex isn’t likely to go away any time soon.
Bonus Item: Steps you can take to minimize malware threats. So the first few weeks of 2017 were pretty much loaded with new Mac malware threats. Ranging from amateur and basic to seriously complex, these emerging threats show that the Mac continues to be a target for malware authors. So what are some things that you can do to minimize the threats posed by Mac malware? We’ve got you covered:
1. Stay on top of updates and security patches for your apps and macOS. Many times malware makes it onto a system that is running older versions of macOS or apps that have security vulnerabilities. By keeping up with the latest updates and security patches, you can mitigate the risk posed by software with known vulnerabilities, which are often considered to be low-hanging fruit that offers easy access to the bad guys.
2. Run anti-malware software. While anti-malware software can be hit-or-miss when it comes to brand new malware, it’s generally very good at detection of known threats. Make sure to run some up-to-date anti-malware software, and use it to scan downloaded files before you even think about opening them. It can provide a great line of defense against run-of-the-mill malware threats.
3. Run an outbound firewall like Little Snitch. One of the main goals of any piece of malware is to stay hidden on a system. Outbound firewalls that monitor outgoing network traffic, such as Little Snitch, can quickly clue in a user when something is amiss on their system. In fact, a fair amount of malware freaks out when it detects Little Snitch on a system it’s trying to infect, and immediately gives up. This isn’t the case with every piece of malware, but it’s definitely an unexpected bonus!
4. Watch out for phishing attempts. When it comes to unexpected e-mail attachments or links to sites that just seem a little bit off, it’s better to err on the side of caution. If you don’t know the sender, be doubly cautious. If you do know the sender, verbally check with them to see if they actually sent the link or attachment before proceeding.
4. Be very careful with macros! Word document macros have long been a vector of infection when it comes to malware. While there are some situations where they are useful, they are more often something to be avoided. Unless you know exactly what you’re doing and expect macros to be present in a Word document, do not activate them when prompted.
If you’d like more information on the topic we covered today, or if there’s a specific topic you’d like to see featured on a future episode, send us an e-mail at email@example.com!