We knew it was just a matter of time before Mac-specific malware started to appear in the cybersecurity landscape. For the first time, Mac-based malware appeared on WatchGuard’s Top 10 list of most common types of malware in the third quarter of 2018.
Mac-Based Email Malware
Coming in at sixth place on WatchGuard’s Top 10 malware list in Q3 of 2018, Mac scareware is primarily delivered via email with the intention of tricking victims into installing fake cleaning software. The scareware appears as MAC.OSX.AMCleaner and is very much like FakeAlert which tries to con users into buying unneeded services.
Throughout the third quarter, WatchGuard saw this scareware affect countries all over the world with different variations. One opened an HTML page that is stored in its contents. Another variation is a full application that shows false scan results. In both instances, the scareware prompts users to purchase a fake malware cleaning service.
Anyone who follows the scam is taken to a malicious domain and prompted to download and install the fake cleaning software. When the malicious installer runs, it is actually signed with a valid Apple-issued certificate. While the certificate makes the software look legitimate, it also allows the malware to bypass macOS protections such as Gatekeeper.
What happens when the scareware is installed is still relatively unknown and is being dubbed as greyware. According to Webopedia, greyware refers to malicious software or code that is considered to fall in the “grey area” between normal software and a virus. Greyware is a term for which all other malicious or annoying software such as adware, spyware, trackware, and other malicious code and malicious shareware fall under. Basically, this scareware is tricking users into paying for its services without actually providing the advertised product.
Mac Malware ‘DarthMiner’
Over the last two weeks, researchers detected a fake Adobe piracy app that infects Mac users with a one-two punch of EmPyre backdoor/post-exploitation agent and the XMRig cryptominer. The app, known as DarthMiner, pretends to be Adobe Zii, a software program that facilitates the cracking and digital piracy of Adobe products.
The shell script executes an obscured Python script, which sets the stage for open-source programs EmPyre and XMRig. The Python script initially checks for the application firewall LittleSnitch. If found, the script will cancel itself. If LittleSnitch is not installed, the script opens a connection to an EmPyre backend, which is capable of pushing commands to the infected Mac. These commands ultimately result in the installation of XMRig.
If that’s not enough, the EmPyre backdoor makes it possible to be used to install additional malware programs that could, for example, steal data or passwords.
Corey Nachreiner, WatchGuard’s CTO explains the future for Mac users best.
“Mac users that haven’t installed a security suite on the endpoint need to do so,” Nachreiner commented. “The days where Mac users can go to airports, coffee shops, and use home networks without added protections like a firewall and IP reputation services are over.”