Apple’s macOS, just like Microsoft’s Windows operating system, has been targeted by various forms of malware such as viruses, Trojans and backdoors, worms, ransomware, adware, browser hijackers and tech support scams. Below you will find a selection of the most devstructive macOS malware pieces detected in the wild in recent years.
Backdoor:OSX/Iworm / iWorm
Backdoor:OSX/Iworm, or simply iWorm was detected in 2014.
Backdoor:OSX/Iworm was able to connect affected Mac OS X machines to a botnet and could execute a range of commands.
As reported by security researchers back in 2014, iWorm used a complex multi-purpose backdoor, deployed by threat actors to issue commands that enabled a wide range of activities on infected Macs.
The malware was also reported to have an extensive use of encryption in its routes. iWorm was able to uncover other software products installed on the infected host and could also send this information to its operators.
The threat could open a port on the system, download additional files, relay traffic, and send a query to a web server to acquire the addresses of the command and control servers. All of these activities mean one thing – iWorm turned Macs into enslaved zombie machines.
It should also be noted that iWorm displayed quite a novel behavior in the year it was initially detected: it used reddit.com as a command and control center. The malware used information posted in Reddit messages to acquire a control server address list.
In April 2018, security researchers detected another backdoor believed to be the latest version of a threat used by the OceanLotus group of hackers, also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty. The OceanLotus hackers are known for launching targeted attacks against human rights organizations, media organizations, research institutes, and maritime construction firms. As for OSX_OCEANLOTUS.D specifically, the malware targes MacOS computers which have the Perl programming language installed, TrendMicro reported.
The backdoor was spotted in a malicious Word document which most likely was distributed via email. The document posed as a registration form for an event with HDMC, an organization in Vietnam advertising national independence and democracy.
After the researchers deobfuscated it, they saw that the payload was written in the Perl programming language. It extracted theme0.xml file from the Word document. “theme0.xml is a Mach-O 32-bit executable with a 0xFEEDFACE signature that is also the dropper of the backdoor, which is the final payload. theme0.xml is extracted to /tmp/system/word/theme/syslogd before it’s executed,” the researchers said.
Calisto macOS Backdoor
Discovered in the summer of 2018, the macOS Calisto backdoor a.k.a. OSX.Calisto Trojan remained undetected for at least two years, says Kaspersky Lab. Apparently, the backdoor was first uploaded to VirusTotal in2016, and researchers believe it was coded the same year. The sophisticated malware remained undetected until May 2018.
In its latest campaigns, the Calisto backdoor was distributed in the form of an unsigned DMG image posing as Intego’s Internet Security X9 for macOS. The threat looked convincing enough to trick users, especially users not acquainted with Intego’s security application.
It should be noted that the backdoor uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).
This Trojan written for OS X was discovered a while back – in September 2011. The threat opened a backdoor on compromised systems. OSX.Imuler could enable a remote attacker to perform any of the following activities:
– Take a screen shot and send it to a remote location
– List files and folders
– Upload a file
– Download a file
– Delete a file
– Create a new process
– Unzip a downloaded file and execute it
In one of its later variants, the Trojan was disguised in ZIP files containing erotic pictures. Upon opening, the ZIP archive showed a number of files, most of which weren’t harmful. However, among them was application file disguised as an image. If the victim opened the application, the malware was triggered, connecting to remote servers to download a program known as CurlUpload. The program packages screenshots and other information into a compressed file which is uploaded. This operation was repeated every time the malware was opened.
Detected in 2016,KeRanger is the very first ransomware to successfully attack Mac machines, spreading via the hacked Transmission BitTorrent client for Mac. Also identified as Ransomware.OSX.KeRanger, it is the very first completely functional ransomware targeting Mac users.
According to researchers at Palo Alto, the first infections took place on March 4, 2016. Apparently, someone, a cybercriminal, hacked the official Transmission website and then replaced the legitimate client for Mac version 2.90 with a compromised one that contained KeRanger.
You may think that the very first functional Mac ransomware would have had flaws or at least features that needed improvement. However, KeRanger turned out to be as dangerous as the average ransomware written for the Windows operating system. KeRanger was described as an excellent replica of both Windows and Linux malicious encryptors.
The encryption algorithm used by KeRanger is AES. It was deployed against 300+ file extensions.
The ransomware bypassed Gatekeeper by using a stolen certificate. Apple security experts revoked the certificate shortly after that.
No OS is safe from malware attacks, macOS inclusive
One of the main symptoms of a Mac having a malware-related problem is the performance issues that it experiences. Usually some Macs tend to slow down when many programs are opened at once or if their memory is full. But if your Mac has enough space and is still slow, this may be a sign of a malware infection. To make sure that your Mac is malware-free, scanning it with security software is advisable.