Malwarebytes has released figures that show that in the year 2017 alone, Mac threats increased more than 270 per cent, while malware targeting Mac operating systems more than doubled from 2016 to 2017.
In a supporting blogpost, the company highlighted four case studies from 2018 that demonstrated a ‘similar pace of malware development'. The first, OSX.MaMi, changes DNS settings on infected Mac computers, and also installs a new trusted root certificate in the keychain. “By redirecting the computer's DNS lookups to a malicious server, the hackers behind this malware could direct traffic to legitimate sites, such as bank sites, Amazon, and Apple's iCloud/Apple ID services, to malicious phishing sites. The addition of a new certificate could be used to perform a “man-in-the-middle” attack, making these phishing sites appear to be legitimate”, said the researchers.
David Emm, principal security researcher at Kaspersky Lab told SC Media UK that while Mac malware may still be relatively rare compared to the vast volumes aimed at Windows, Mac malware tends to be more targeted: “When it comes to targeted attacks the creators of APTs have been active in ensuring their code is as multi-platform as possible. There are plenty of examples of multiple platform-capable targeted attacks that include Mac malware.”
Indeed, Malwarebytes second example was a piece of nation-state malware, called Dark Caracal, including a new Java-based cross-platform RAT (remote access tool, aka backdoor), that is capable of infecting Macs, among other systems. Another technique highlighted is the supply chain attack, an example being OSX.CreativeUpdate, where the MacUpdate website was hacked, and a variety of popular downloads were replaced with malicious links that ultimately installed Monero-mining malware.
“This would result in the computer slowing down and the fans starting to run at high speed. This has a number of negative impacts, such as significant hits on the performance of the computer, reduced battery life, increased usage of electricity, and even potential for overheating the computer and damaging the hardware (especially if the fans were not working at peak capacity or the vents were clogged with dust), noted the researchers.
“Certainly, as the Mac market share has increased we have seen increases in attacks. We've also seen huge rises in platform independent attacks such as phishing, as well as browser-based attacks, such as Java coin miners, as well as redirection attacks”, commented Emm. “Crypto-mining malware has seen a significant rise across the board of late, partly due to mainstream adoption, and partly due to the relatively low barriers to success. Unlike a successful ransomware attack, which requires network infiltration, encryption of data and then a ransom payment, drive-by coin mining is a much less convoluted route from user PC to monetary reward for the attacker.”
The most recent piece of Mac malware highlighted by Malwarebytes is called OSX.Coldroot, and is a generic backdoor, albeit compromised by as variety of bugs and OS dependencies (installation will fail on macOS 10.11 El Capitan, or later).
“The dangers of seeing the Mac platform as being immune to malware are significant, and there is the added dimension of Macs being ‘carriers' of malware in a mixed business environment. I think we'll see most Mac malware activity in the targeted attack area during 2018, due to the simple question of ROI - it costs proportionally more to develop Mac malware, so there has to be a clear reason to do so for attackers”, summarised Emm.