Our 2022 review of macOS malware revealed that the threats faced by businesses and users running macOS endpoints included an increase in backdoors and cross-platform attack frameworks. Threats like CrateDepression and PyMafka used typosquatting attacks against package repositories to infect users, while ChromeLoader and others like oRAT leveraged malvertising as an infection vector.
However, the infection vector used by many other macOS threats remains unknown. SysJoker, OSX.Gimmick, CloudMensis, Alchemist and the Lazarus-attributed Operation In(ter)ception are just some of those for which researchers still do not know how victims were initially compromised. In these and other cases, researchers happened across the malware either in post-infection analyses or by discovering the samples on malware repositories like VirusTotal, where the sample’s trajectory from threat actor through victim to discovery remains largely untraceable.
Although this gap prevents us from building a full picture of any particular attack campaign, fortunately we can as defenders enumerate the possible ways that malware can compromise a macOS system and analyze how malware has used these vectors in the past. Armed with this knowledge, we can look to build more resilient defenses and security policies to prevent threats gaining entry.
There is an abundance of macOS malware that is distributed through free content downloads sites such as torrent sites, shareware sites, cracked app sites or free 3rd party app distribution sites.
Content lures include:
Free content lures are primarily used to drive adware and bundleware infections, but cryptominers such as LoudMiner have also been distributed this way.
The most common scenario is a user being offered free or cracked versions of an application; the user initiates a download of a disk image file purporting to contain that application but on mounting it finds that it is called something like “Flash Player”, “AdobeFlashPlayer.app” or similar. These files are usually unsigned and the user is given instructions on how to override macOS Gatekeeper in order to launch them.
As shown in the above image, this is a simple trick in the Finder that even non-admin users can use to defeat the Mac’s built-in security mechanism.
Some threat actors have recently been seen directing users to the Terminal to override Gatekeeper there, presumably to workaround any additional security controls that organization admins might have deployed via MDM (mobile device management).
Some users set out to seek legitimate content but are pulled into malicious sites through advertising and ‘too good to be true’ deals and offers. Anecdotal evidence suggests that there is a widespread perception among Mac users that exploring such links is not inherently dangerous because Macs are “Safe” and “Don’t get viruses”. The nature of these sites, however, and the insistent use of popups, misleading icons and redirecting links can quickly lead a user from a safe search to a dangerous download.
Although the “Flash Player” lure is largely used by adware and bundleware campaigns, it was also seen in a long-running campaign by Chinese threat actors distributing macOS.Macma. Other campaigns that have made significant use of this vector include OSX.Shlayer, Pirrit and Bundlore. These threats are well-detected by security vendors but often missed by Apple’s built in signature-based detection technology XProtect.
Mitigating infections through this vector include:
Maliciously-crafted ads on webpages can run hidden code inside the user’s browser, redirecting the victim to sites showing popups with fake software updates or virus scan warnings. In the past 12 months, known malvertising campaigns aimed at macOS users include ChromeLoader and oRAT.
ChromeLoader, also known as Choziosi Loader or ChromeBack, takes the form of a malicious Chrome extension that hijacks the user’s search engine queries, installs a listener to intercept outgoing browser traffic, and serves up adware to victims.
oRAT is a backdoor implant written in Go and is downloaded to the victim’s machine as an unsigned disk image (.dmg) masquerading as a collection of Bitget Apps. The disk image contains a package with the name Bitget Apps.pkg and the distribution identifier
An encrypted blob of data is appended to the malicious binary that contains configuration data such as the C2 IP address.
More details on oRAT can be found in the writeup here.
Mitigations for threats distributed through malvertising include:
Developers are high-value targets for threat actors looking at mass infections, supply chain attacks, espionage and political manipulation. Undoubtedly the most successful attack on Apple developers to date was XcodeGhost, a malicious version of Apple’s Xcode IDE hosted on a server in China in 2015. A number of Chinese developers chose to download what they believed to be a local mirror of Xcode because downloading the legitimate version from Apple’s servers in the US was extremely slow.
XcodeGhost inserted malicious code into any iOS app that was built with it, and a number of infected apps were subsequently released on Apple’s App Store. The infected apps were capable of stealing sensitive information such as the device’s unique identifier and the user’s Apple ID, and executing arbitrary code on the infected iOS device.
More commonly and more recently, threat actors have sought to infect developers by means of shared code. Because developers look to increase productivity by not ‘reinventing the wheel’, they will often seek out shared code rather than attempt to write their own implementation of tricky libraries or unfamiliar API calls.
Useful code can be found in public repositories hosted on sites like Github, but these can also be laced with malware or code that opens a backdoor from the developer’s environment to the attackers. XCSSET malware and XcodeSpy have both exploited shared Xcode projects to compromise developers of macOS and iOS software.
In XCSSET, a project’s
<project name>.xcodeproj/project.xcworkspace/contents.xcworkspacedata was modified to contain a file reference to a malicious file hidden in the project’s
xcuserdata folder. Building the project caused the malware to be executed, which then dropped a multi-stage infection on the developer’s machine, including a backdoor.
In XCodeSpy, a threat actor distributed a doctored version of a legitimate, open-source project available on GitHub. The project’s Build Phases included an obfuscated Run Script that would execute when the developer’s build target was launched.
The script created a hidden file at
/private/tmp/.tag , which contained a single command:
mdbcmd. This in turn was piped via a reverse shell to the attackers C2. The file path is linked to two custom EggShell backdoors found on VirusTotal.
On execution, the customized EggShell binaries drop a LaunchAgent either at
~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist. This plist checks to see if the original executable is running; if not, it creates a copy of the executable from a ‘master’ version at
~/Library/Application Support/com.apple.AppStore/.update then executes it.
Mitigations for threats distributed through this vector include:
Things start to get more serious when threat actors target open source package repositories. Code shared through these is widely used across many projects in enterprises and security vetting is both weak and difficult. There are many in use across different platforms and languages including:
Package repositories can be susceptible to typosquatting attacks and dependency confusion attacks. In some cases, ownership of legitimate packages has been hijacked or transferred to malicious actors.
In May 2022, a popular PyPI package ‘PyKafka’ was targeted in a typosquatting attack with a package named ‘PyMafka’. The PyMafka package contained a Python script that surveyed the host and determined the operating system.
If the device was running macOS, it reached out to a C2 and downloaded a Mach-O binary called ‘MacOs’ and wrote it to
/private/var/tmp with the name ‘zad’. The binary was UPX-packed and obfuscated and dropped a Cobalt Strike beacon.
Only a week earlier, the Rust repository Crates.io had also been targeted by threat actors typosquatting the legitimate rust_decimal package with a malicious rustdecimal package. The latter targeted environments with GitLab Continuous Integration (CI) pipelines and dropped a Go-written macOS-compiled Poseidon payload.
As 2022 closed out, an actor who later claimed to be a ‘researcher’ targeted the PyTorch package on PyPI with a dependency confusion attack.
Dependency confusion attacks take advantage of the fact that some packages have dependencies that are hosted on private servers. By default, package managers handle a client’s request for dependencies by first searching the public repository. If the dependency package’s name doesn’t already exist in the public repo, an attacker can upload their own malicious package to the public repo and intercept the request from the client.
The malware dropped in the attack on PyTorch collected and exfiltrated a variety of sensitive data from the victim’s machine for transfer to a remote URL, including the contents of
PyTorch is a popular open-source machine learning library for Python, estimated to have had around 180 million downloads. In the 5 days between Christmas Day and New Year’s day that the malicious package was hosted on PyPI, it achieved 2300 downloads.
Mitigations for threats distributed through this vector include many of the same recommendations as for protecting against malicious shared developer projects. In addition, security teams can also adopt the following recommendations:
Attacks on package repositories can be devastating and far-reaching, but they are also noisy: they will inevitably be discovered and draw a lot of attention. In contrast, threat actors looking to deliver malware to specific targets more stealthily may prefer to trojanize popular applications.
In 2021, sponsored links in the Baidu search engine were used to spread malware via trojanized versions of the popular Terminal application, iTerm2. Further investigation into OSX.Zuru as it came to be known, found that the campaign also used trojan versions of Microsoft’s Remote Desktop for Mac, Navicat and SecureCRT. The apps’ were codesigned with a developer signature different from the legitimate signature, primarily to ensure that they were not blocked by Gatekeeper. Aside from replacing the original code signature, the threat actor had modified the original application bundles with a malicious dylib in the
.app/Contents/Frameworks/ folder called
libcrypto.2.dylib. Analysis of this file revealed functionality for surveilling the local environment, reaching out to a C2 server and executing remote commands via a backdoor.
The selection of trojanized apps was interesting and suggests the threat actor was targeting backend users of tools used for remote connections and business database management.
More recently, Chinese-linked threat actors have been found distributing trojanized versions of EAAClient and SecureLink that deliver a Sliver payload. These trojan’s are delivered without a code signature and the threat actors use techniques described above (See: The Lure of Free Content) to persuade victims to override local security settings through the Terminal.
Researchers have also recently found malicious versions of an open-source tool that are designed to steal the victim’s password and keychain – effectively giving the actor full access to all the user’s passwords in macOS. In this case, the tool in question, Resign Tool, is used by developers to resign apps and bundle them into ipa files for installation on iOS devices – indicating the threat actor’s clear interest in infecting developers.
Mitigations for threats distributed through this vector include:
A less common infection vector and one that requires some skill to pull off is using browser exploits to infect visitors to a poisoned website. Zero day exploits in browsers are a regular focus area for hacker competitions, including China’s annual Tianfu Cup. Even after being patched, these vulnerabilities can still be used as N-Days against organizations or users that fail to keep their brower’s up to date.
In the most recent security update for macOS Venture and Safari released on December 13, 2022, here are just some of the more than 30 bugs that were patched:
According to researchers at Google’s TAG, Macma combined an N-day remote code execution vulnerability in WebKit (CVE-2021-1789) and a zero day local privilege escalation in XNU (CVE-2021-30869. The chained exploits were used to load and execute a Mach-O binary in memory. The malware was able to escape the Safari sandbox, elevate privileges, and download a second stage payload from a C2.
Firefox zero days have also been used in attacks on macOS users. Coinbase reported targeted attacks via what later became known as CVE-2019-11707 in 2019, which delivered variants of Netwire and Mokes malware.
Mitigations for threats distributed through this vector include:
Some of the infection vectors we have covered already can and have been used in attempted supply-chain attacks, particularly those involving trojan applications, shared developer code and package repositories. However, those cases all involved fake or imitation versions of legitimate code, packages and applications.
Supply chain attacks in which a threat actor compromises the legitimate code distributed by a vendor to other clients is rarer but not unheard of. Back in 2016, popular macOS torrent client Transmission was infected with a rare example of macOS ransomware. Threat actors compromised the developer’s servers and added KeRanger malware to the disk image containing the software.
Supply chain attacks can occur through many of the vectors discussed above and can occur anywhere in the supply chain, including directly within the organization’s own development and production cycles. For this reason, defending against such a compromise requires an overall security strategy that includes most of the recommendations given above, but focuses in particular on:
Notable among the absences above are two commonly used infection vectors seen, particularly, used against Windows users: emails containing phishing links, and RCEs through publicly exposed internet connections.
Malicious links and attachments represent an opportunity for threat actors targeting any system, including macOS. Maldocs that determine the host system and have specific logic for macOS have been known, but they are not widely reported. Sandbox escapes for MS Office for Mac are also not unheard of.
As noted in the introduction to this post, many malware infections’ initial means of compromise remain unknown to researchers, and given the prevalence of phishing emails in compromises in general, it’s certainly a vector that defenders must consider.
Remote attacks involving unauthorized code execution tend to be common on Windows as a result of weaknesses in Microsoft software, particularly the RDP protocol. Having said that, a review of Apple’s security updates does reveal that zero-day bugs in macOS are possible.
In both cases, organizations can defend against the possibility of compromise through both these vectors by implementing security controls previously outlined, with an emphasis on endpoint protection and timely software updates to protect against malware executed via phishing attempts and RCEs through software and OS vulnerabilities.
Preventing attacks at the first stage of infection reduces the impact on both the security team and the organization. Unfortunately, there is still a widespread perception that macOS controls like codesigning, Gatekeeper and Apple’s notarization service are enough to prevent successful malware attacks, but the success of malware in 2022 and before prove otherwise.
By fortifying their defenses and understanding the main infection vectors used by in-the-wild macOS malware as discussed above, security teams can better protect the organization. To see how SentinelOne can help protect the Macs in your organization, contact us or request a free demo.