SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Iranian Malware Targets User Passwords in the macOS Keychain

Posted on February 17, 2017

A brand-new type of malware affecting Macs is in the wild, and this time there are definite signs of development in conjunction with a foreign nation. Designed (albeit rather poorly) to look like a Flash update, this malware, dubbed MacDownloader, is a unsophisticaed attempt to glean user passwords. Uncovered by security researchers after the malware targeted major defense contractors, the program may feature amateurish code, but its threat is very real.

After fooling a user into downloading the false Flash update, the malware quickly goes to work profiling the user’s system and entering the macOS keychain. It duplicates the databases, effectively stealing your passwords all while acting as though it is updating Flash. Though MacDownloader’s command and control server is now down, the malware would normally attempt to transmit this information back to its creator.

Despite this malicious intent, poor programming limits the software. It cannot achieve persistence on the system (though there seems to have been an intention to make it so) and encounters errors during other operations. During execution, it even seems confused about what it is, at times pretending to be a BitDefender update instead. During the pseudo-installation progress, the fake Flash updater informs users about other malware on the system. However, despite its low level of sophistication, users could still suffer from the theft of their data if infected.

MacDownloader is the type of malware that requires an invitation into your system. Simply because you use a Mac does not mean you can assume safety and protection. Its deployment through a known Iranian phishing website showcases the fact that a user must always pay very close and careful attention when downloading software from the web. Not every application is trustworthy, nor is every site what it claims.

Based on the sheer number of spelling errors and other obvious faults, poorly executed malware like MacDownloader should be easy for users to avoid. However, it is highly likely that this version of the malware represents only the first steps. Analysis by security firms connect the software to a known Iranian group with ties to state security. If bad actors from nations like Iran are working to develop active Mac malware, we must be even more vigilant towards security. Though MacDownloader was quickly uncovered and remedies will proliferate quickly, there may be other similar threats to contend with in the future.

Join our mailing list for the latest security news and deals