Apparently, two researchers, Collin Anderson and Claudio Guarnieri, have come across a piece of Mac malware supposedly written by Iranian state-sponsored hackers. The researchers have authored a specific report going into detail about the malware.
Their discovery highlights the depths to which governments go to track and disrupt activist movements.
MacDownloader Poses As An Installer for Adobe Flash, Researchers Say
A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.
Based on their observations on infrastructure, and the condition of the code, Anderson and Guarnieri believe the observed incidents represent the first attempts to deploy the malware. Luckily threat is neither persistent nor is it sophisticated. However, it’s highly likely that the coders have “broader ambitions”.
MacDownloader Is Not Sophisticated But Is Still Dangerous
The researchers have been disclosing information about current Iranian activities for the purposes of public education and information sharing. MacDownloader is obviously not a sophisticated type of threat but its sudden appearance is concerning, the experts add. The popularity of Apple machines with specific communities is alarming, together with the broad disbelief that these machines are safer than Windows systems.
The approach embraced by MacDownloader is quite similar to the ExtremeDownloader dropped previously monitored by the researchers. “The exposure of test victim data and code references provide a unique insight into the development of the malware, with potential connections to agents developed by long dormant threat groups,” the two conclude.
MacDownloader is installed as a fake Flash update. Once installed, it will connect to an external server, supposedly to grab additional modules for deployment. In the meantime, the malware will siphon some system information to a remote server controlled by the hackers. The information contains the contents of the Mac’s keychain folder and a list of installed apps. The threat also creates a fake prompt box asking for the system’s username and password. This information is also sent to the hackers:
Armed with the user’s credentials, the attackers would then be able to access the encrypted passwords stored within the Keychain database. While Chrome and Firefox do not store credentials in Keychain, Safari and macOS’s system service do save passwords to sites, remote file systems, encrypted drives, and other criteria resources there.