4 Mac Malware Finds in 2022

In 2022, macOS security researchers uncovered a number of new Mac malware variants. Here are four of the most interesting discoveries—as well as key takeaways and tips on how to stay safe.

1. DazzleSpy

   One of the first Mac malware variants of 2022, DazzleSpy is a macOS implant that makes its way onto a user’s computer via a Safari (WebKit) exploit.

   First discovered on malicious as well as legitimate-but-compromised websites, DazzleSpy appears to be part of a malware campaign that targets Hong Kong activists.

   An analysis of DazzleSpy done by researcher Patrick Wardle concludes that the malware “includes everything you’d expect to find in a cyber-espionage implant, including surveying the infected host, exfiltrating files, running commands, [and] self-deletion.” Wardle also notes that DazzleSpy comes with a number of “more advanced features” like “the ability to search for files,” “start a fully interactive remote desktop (RDP) session,” and “dump the keychain (on systems vulnerable to CVE-2019-8526).”

   Takeaways: WebKit continues to be a significant source of vulnerabilities for macOS users—and well-resourced threat actors are able to create complex exploits around these vulnerabilities. So-called “watering hole” attacks, in which a targeted group of people is attracted to a malicious or a compromised website, are one way that bad actors can use these exploits to infect users with malware.

   Staying safe: Automate your OS and app updates so that vulnerabilities are patched ASAP. If you’re running macOS Ventura, consider turning on Rapid Security Response: This will give you instant access to urgent security patches rolled out by Apple between major updates. In addition, always be careful about the websites you visit, and be aware that even trusted websites may be compromised by bad actors.

2. TraderTraitor

   TraderTraitor is the name used by the US government to describe a number of malicious apps discussed in a joint advisoryfrom April 2022.

   TraderTraitor appears to be the work of a North Korean APT. The malicious activity observed bears the hallmarks of the notorious Lazarus Group.

   TraitorTrader targets the cryptocurrency industry. The objective is to steal cryptocurrency. TraitorTrader malware is spread via targeted phishing messages sent to people who work at cryptocurrency companies. According to the government advisory, “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.” The malware contains a remote access Trojan that allows the bad actors to steal information, execute commands on an infected system, and download other malware as needed.

   Takeaways: The crypto space continues to be a source of risk for Mac users. In general, cryptocurrency, NFTs, and the like have become a popular target for the bad guys. Bad actors have latched onto scam job ads as an effective pretext to use in social engineering schemes. 

   Staying safe: There’s nothing wrong with cryptocurrency per se, but be mindful of the risks and treat anything to do with crypto with increased caution. Be aware that bad actors are using scam job ads and job offers in their phishing attacks, and learn how to spot these scams.

3. CloudMensis

   Discovered by ESET researchers in April 2022, CloudMensis is macOS malware that runs on older Intel Macs as well as Apple Silicon Macs.

   The security researchers who analyzed CloudMensis say that its distribution method is unknown, but that it appears to have been used in targeted attacks only.

   Interestingly, CloudMensis makes use of public cloud infrastructure for command and control (C&C). The malware seems designed to collect and exfiltrate user data. Once active on an infected Mac, CloudMensis can take screenshots and record keystrokes, collect emails and other sensitive files, and exfiltrate captured data.

   Takeaways: macOS threat actors are constantly evolving, using new techniques to build, distribute, and control Mac malware. The use of cloud infrastructure for C&C purposes (also seen in this year’s Gimmick Mac malware) is just one example of this.

   Staying safe: The ESET researchers say that “no undisclosed vulnerabilities (zero-days) were found to be used” when they analyzed CloudMensis. There were, however, a number of telltale signs of older vulnerabilities being exploited by the malware. Once again, Mac users are advised to always keep their Macs and their software up to date—preferably via automatic updates or Rapid Security Response.

4. Alchimist

   Alchimist is a cross-platform attack framework for Windows, Linux, and macOS. It was first described by security researchers at Cisco’s Talos Threat Intelligence group.

   The researchers at Talos say that they have “moderate-high confidence that this framework is being used in the wild.”

   The Alchimist framework takes its name from its associated C&C server, but includes malicious implants that target different computing platforms. On Windows and Linux, the backdoor is known as Insekt RAT. On macOS, it’s an unnamed executable that exploits a vulnerability in a macOS utility, giving attackers the ability to execute arbitrary commands on the infected Mac.

   Takeaways: Malware authors are adopting the service model of legitimate software developers, writing feature-rich, cross-platform tools that can be wielded by unskilled users. As Macs become more prevalent, especially in the enterprise, we can also expect malware creators to port older malware for Windows and Linux to macOS.

   Staying safe: Off-the-shelf malware has democratized hacking—and as such, Mac users should prepare for a corresponding increase in threats. Always keep your system and apps up to date; use a robust malware detection solution on your Mac; and consider using an outbound firewall app to detect suspicious network activity.

Learning more

To learn more about how to keep yourself safe from Mac malware, check out the following resources:

• The Mac Trojan Horse Malware Guide has information about Trojans on macOS as well as steps you can take to avoid trojanized Mac apps.

• The Checklist is a weekly Mac security podcast that offers macOS news, alerts, and updates to help you stay on top of the latest scams and threat actor tactics.  

• “How to use checksums on Mac to verify app downloads” is a blog post that teaches you how to use your Mac’s built-in features to double-check the integrity of third-party apps before you run them.