Our 2022 review of macOS malware revealed that the threats faced by businesses and users running macOS endpoints included an increase in backdoors and cross-platform attack frameworks. Threats like CrateDepression and PyMafka used typosquatting attacks against package repositories to infect users, while ChromeLoader and others like oRAT leveraged malvertising as an infection vector.
However, the infection vector used by many other macOS threats remains unknown. SysJoker, OSX.Gimmick, CloudMensis, Alchemist and the Lazarus-attributed Operation In(ter)ception are just some of those for which researchers still do not know how victims were initially compromised. In these and other cases, researchers happened across the malware either in post-infection analyses or by discovering the samples on malware repositories like VirusTotal, where the sample’s trajectory from threat actor through victim to discovery remains largely untraceable.
Although this gap prevents us from building a full picture of any particular attack campaign, fortunately we can as defenders enumerate the possible ways that malware can compromise a macOS system and analyze how malware has used these vectors in the past. Armed with this knowledge, we can look to build more resilient defenses and security policies to prevent threats gaining entry.
1. The Lure of Free Content
There is an abundance of macOS malware that is distributed through free content downloads sites such as torrent sites, shareware sites, cracked app sites or free 3rd party app distribution sites.
This torrent for a file utility downloads an adware installer
Content lures include:
Live sports streaming sites – sports, geofencing evasion, digital rights management
Movie, TV, Game and Music download sites
Porn and sexual services sites
Free content lures are primarily used to drive adware and bundleware infections, but cryptominers such as LoudMiner have also been distributed this way.
The most common scenario is a user being offered free or cracked versions of an application; the user initiates a download of a disk image file purporting to contain that application but on mounting it finds that it is called something like “Flash Player”, “AdobeFlashPlayer.app” or similar. These files are usually unsigned and the user is given instructions on how to override macOS Gatekeeper in order to launch them.
Lure for a cracked version of Adobe Photoshop leads to an adware installer
As shown in the above image, this is a simple trick in the Finder that even non-admin users can use to defeat the Mac’s built-in security mechanism.
Some threat actors have recently been seen directing users to the Terminal to override Gatekeeper there, presumably to workaround any additional security controls that organization admins might have deployed via MDM (mobile device management).
Some users set out to seek legitimate content but are pulled into malicious sites through advertising and ‘too good to be true’ deals and offers. Anecdotal evidence suggests that there is a widespread perception among Mac users that exploring such links is not inherently dangerous because Macs are “Safe” and “Don’t get viruses”. The nature of these sites, however, and the insistent use of popups, misleading icons and redirecting links can quickly lead a user from a safe search to a dangerous download.
Although the “Flash Player” lure is largely used by adware and bundleware campaigns, it was also seen in a long-running campaign by Chinese threat actors distributing macOS.Macma. Other campaigns that have made significant use of this vector include OSX.Shlayer, Pirrit and Bundlore. These threats are well-detected by security vendors but often missed by Apple’s built in signature-based detection technology XProtect.
How To Prevent Attacks via Free Content
Mitigating infections through this vector include:
Controlling permissions relating to software downloads or launches via MDM and/or application allow/deny lists by a security product
Restricting access to the Terminal via an MDM solution or a security product
Restricting or preventing the execution of unsigned code with a security product
Using endpoint protection software to prevent and detect known malware
2. Malvertising to Mac Users
Maliciously-crafted ads on webpages can run hidden code inside the user’s browser, redirecting the victim to sites showing popups with fake software updates or virus scan warnings. In the past 12 months, known malvertising campaigns aimed at macOS users include ChromeLoader and oRAT.
ChromeLoader, also known as Choziosi Loader or ChromeBack, takes the form of a malicious Chrome extension that hijacks the user’s search engine queries, installs a listener to intercept outgoing browser traffic, and serves up adware to victims.
oRAT is a backdoor implant written in Go and is downloaded to the victim’s machine as an unsigned disk image (.dmg) masquerading as a collection of Bitget Apps. The disk image contains a package with the name Bitget Apps.pkg and the distribution identifier com.adobe.pkg.Bitget.
An encrypted blob of data is appended to the malicious binary that contains configuration data such as the C2 IP address.
oRAT’s encrypted blob and the decrypted plain text
More details on oRAT can be found in the writeup here.
How to Prevent Attacks from Malvertising
Mitigations for threats distributed through malvertising include:
Using firewall control and web filters to block access to known malicious websites. In extremely sensitive cases, firewalls can restrict access to only a limited set of authorized IPs
Using Ad blocking software: ad blockers can prevent most adverts from being displayed, but this may have an impact on performance and access to some resources
Deploying endpoint protection software to prevent and detect the execution of malicious code delivered through malicious adverts
3. Poisoned Developer Projects
Developers are high-value targets for threat actors looking at mass infections, supply chain attacks, espionage and political manipulation. Undoubtedly the most successful attack on Apple developers to date was XcodeGhost, a malicious version of Apple’s Xcode IDE hosted on a server in China in 2015. A number of Chinese developers chose to download what they believed to be a local mirror of Xcode because downloading the legitimate version from Apple’s servers in the US was extremely slow.
XcodeGhost inserted malicious code into any iOS app that was built with it, and a number of infected apps were subsequently released on Apple’s App Store. The infected apps were capable of stealing sensitive information such as the device’s unique identifier and the user’s Apple ID, and executing arbitrary code on the infected iOS device.
More commonly and more recently, threat actors have sought to infect developers by means of shared code. Because developers look to increase productivity by not ‘reinventing the wheel’, they will often seek out shared code rather than attempt to write their own implementation of tricky libraries or unfamiliar API calls.
Useful code can be found in public repositories hosted on sites like Github, but these can also be laced with malware or code that opens a backdoor from the developer’s environment to the attackers. XCSSET malware and XcodeSpy have both exploited shared Xcode projects to compromise developers of macOS and iOS software.
In XCSSET, a project’s .xcodeproj/project.xcworkspace/contents.xcworkspacedata was modified to contain a file reference to a malicious file hidden in the project’s xcuserdata folder. Building the project caused the malware to be executed, which then dropped a multi-stage infection on the developer’s machine, including a backdoor.
In XcodeSpy, a threat actor distributed a doctored version of a legitimate, open-source project available on GitHub. The project’s Build Phases included an obfuscated Run Script that would execute when the developer’s build target was launched.
The obfuscated script found in an XcodeSpy sample.
The script created a hidden file at /private/tmp/.tag , which contained a single command: mdbcmd. This in turn was piped via a reverse shell to the attackers C2. The file path is linked to two custom EggShell backdoors found on VirusTotal.
On execution, the customized EggShell binaries drop a LaunchAgent either at ~/Library/LaunchAgents/com.apple.usagestatistics.plist or ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist. This plist checks to see if the original executable is running; if not, it creates a copy of the executable from a ‘master’ version at ~/Library/Application Support/com.apple.AppStore/.update then executes it.
Persistence agent used by EggShell backdoor linked to XcodeSpyHow To Prevent Attacks via Poisoned Developer Project
Mitigations for threats distributed through this vector include:
Isolating development environments from production environments
Requiring all shared developer projects to be reviewed and authorized before being downloaded or built on company devices
Implementing secure development practices such as secure coding guidelines, code review and code buddying
Educating developers on the dangers of externally-sourced developer projects
Monitoring for suspicious and malicious code execution with endpoint protection software
4. Open Source Package Repositories
Things start to get more serious when threat actors target open source package repositories. Code shared through these is widely used across many projects in enterprises and security vetting is both weak and difficult. There are many in use across different platforms and languages including:
Python Package Index (PyPI)
Node Package Manager (NPM)
Go Module Index (Go)
NuGet Gallery (.NET)
CocoaPods (Swift, iOS)
Carthage (Swift, macOS)
Fedora Package Database (Linux)
CentOS Package Repository (Linux)
Arch Linux User Repository (Linux)
Ubuntu Package Repositories (Linux)
Alpine Package Repository (Linux)
Maven Central (Java)
Package repositories can be susceptible to typosquatting attacks and dependency confusion attacks. In some cases, ownership of legitimate packages has been hijacked or transferred to malicious actors.
In May 2022, a popular PyPI package ‘PyKafka’ was targeted in a typosquatting attack with a package named ‘PyMafka’. The PyMafka package contained a Python script that surveyed the host and determined the operating system.
If the device was running macOS, it reached out to a C2 and downloaded a Mach-O binary called ‘MacOs’ and wrote it to /private/var/tmp with the name ‘zad’. The binary was UPX-packed and obfuscated and dropped a Cobalt Strike beacon.
Only a week earlier, the Rust repository Crates.io had also been targeted by threat actors typosquatting the legitimate ‘rust_decimal’ package with a malicious ‘rustdecimal’ package. The latter targeted environments with GitLab Continuous Integration (CI) pipelines and dropped a Go-written macOS-compiled Poseidon payload.
As 2022 closed out, an actor who later claimed to be a ‘researcher’ targeted the PyTorch package on PyPI with a dependency confusion attack.
Dependency confusion attacks take advantage of the fact that some packages have dependencies that are hosted on private servers. By default, package managers handle a client’s request for dependencies by first searching the public repository. If the dependency package’s name doesn’t already exist in the public repo, an attacker can upload their own malicious package to the public repo and intercept the request from the client.
The malware dropped in the attack on PyTorch collected and exfiltrated a variety of..
Source: Read More