[ad_1]
Intel471’s new Report The report reveals that macOS is increasingly being targeted by threat actors who develop specific malware for the operating system or use cross-platform languages to achieve their goals on macOS computers.
More and more macOS vulnerabilities are being exploited. Malware Vulnerabilities could be exploited for cybercrime and cyber espionage.
There’s more malware on macOS than ever before
Between January 2023 and July 2024, researchers observed more than 40 threat actors targeting macOS systems with different types of malware, with information stealers and Trojans being the most popular.
Information Stealer
Information-stealing malware (aka info stealers) is increasingly being developed and deployed on all operating systems, and macOS is no exception.
according to According to cloud security firm Uptycs, incidents involving information stealers doubled in the first quarter of 2023 compared to the same period in 2022. Cybersecurity firm Group-IB also Report Underground sales related to macOS information stealers increased fivefold.
Cybercriminals use this type of software to steal login credentials, session cookies that allow authentication without credentials, and more data such as credit card information or cryptocurrency wallets. Initial visit to brokerthey collect valid credentials (usually from companies rather than individuals) and then sell them to other cybercriminals.
Atomic Stealer (also known as Atomic macOS Stealer or AMOS) is one of the most popular macOS information stealers since 2023. It is designed to steal credentials and cryptocurrency wallet data from macOS devices and browsers.
However, multiple cybercriminals operate or advertise other information stealers for macOS. A threat actor nicknamed codehex advertises a macOS information stealer called ShadowVault that is capable of stealing data from various Chrome-based browsers, files stored on infected computers, and data from cryptocurrency wallets.
The malware operators can also sign it with an Apple developer signature, making it harder for security software to detect it. The malware is sold for $500 per month in a Malware as a Service (MaaS) business model.
Another more expensive stealer, Quark Lab, can steal keychain passwords from a system as well as cryptocurrency wallets and popular browser information and costs $3,000 per month.
Trojan Horse
Remote access Trojans are another type of malware that is becoming increasingly popular on macOS.
Rusty dooris a macOS malware developed using RUST and possibly associated with ransomware threat actors that provides its controller with a variety of capabilities:
- Execute remote commands.
- Manipulate files on the infected system.
- Add more payloads.
- Collect system information.
This makes it a unique tool for cyber espionage and cybercriminal threat actors. The Rust programming language has become Popular It is popular among malware developers because it is a cross-platform language, allowing developers to easily port the code to any operating system.
Ransomware
As Intel471 writes, “The emergence of macOS ransomware raises concerns because it shows that threat actors are finding new avenues to attack Apple users.”
In April 2023, security researchers Discover A new encryptor for the notorious Lock The ransomware targets macOS devices, including newer macOS systems running on Apple Silicon.
In late 2023, another less advanced ransomware strain emerged, called Turtle, again developed using the cross-platform programming language Golang (aka Go). The malware was only temporarily signed and not notarized, making it detectable by Gatekeeper because explain Written by expert security researcher Patrick Wardle.
Vulnerability Exploited
The number of exploited macOS vulnerabilities grew by more than 30% in 2023. according to Patch management software company Action1.
In addition, Intel471 discovered 69 vulnerabilities that affected multiple versions of macOS between March 2020 and July 2024, with more than 10 vulnerabilities classified as high severity. Some of these vulnerabilities have been exploited by cyber espionage threat actors.
CVE-2023-41993 is an unspecified vulnerability targeting multiple versions of macOS. Being exploited Installs Cytrox’s Predator spyware, which has been sold to multiple state-sponsored groups around the world.
Threat actors also Being exploited CVE-2023-41064, a buffer overflow vulnerability. The cyber espionage threat actor sells its spyware to nation-state-backed organizations.
A cybercriminal nicknamed oDmC3oJrrSuZLhp is selling an exploit for the CVE-2022-32893 vulnerability, which allows attackers to execute arbitrary code on the target system, for $2.7 million on an underground forum.
State-sponsored threat actors
While different spyware providers have sold their services to state-sponsored threat actors, some of these threat actors do develop malware and tools targeting macOS.
North Korean threat actor Blue NorovFor example, a method called RustBucketdeveloped for macOS, is designed to target financial institutions whose activities are related to cryptocurrency.
The group also targets individuals holding cryptocurrency assets, with the ultimate goal of stealing all the cryptocurrency in the target’s wallet.
Russian Threat Actors APT28It is affiliated with the General Staff of the Russian Armed Forces. APT29Russia’s Foreign Intelligence Service has also used macOS malware.
The XAgent modular backdoor used by APT28 has been around for many years and includes macOS versionthereby stealing data from infected macOS systems, including iOS backups containing messages, contacts, voicemails, call logs, notes, and calendars. APT29 used the no longer supported empire A cross-platform remote administration and post-exploitation framework that can target macOS.
Vietnamese threat actor APT32 also deploys macOS back door Used to target different organizations.
How to protect against this threat
macOS systems must always be kept updated and patched to protect against common exploits.
Security software should be deployed on the system to detect malware and suspicious activity. Email security solutions should also be used, as many initial intrusions are spread through phishing emails.
Finally, all employees need to be trained to detect potential social engineering techniques used in email or instant messengers.
Disclosure: I work at Trend Micro, but the opinions expressed in this article are my own.
[ad_2]
Source link
