Jamf Blog
Hand holding surgical mask and laptop bag close together.
July 9, 2021 by Stuart Ashenbrenner

New Mac malware, OSX.WildPressure, prevented by Jamf Protect

As Apple device adoption rates continue to increase in the enterprise, we’re seeing proportional growth in malware targeting macOS as well.

This week, Kaspersky released a detailed write-up on a piece of Mac malware, called OSX.WildPressure.

One of the primary points of interest is a PyInstaller module (freezing Python packages into executables) that contains a Python script named “Guard.py”. This script shows the malware not only targeting the Windows operating system but macOS, too.

Guard.py targeting both Windows and macOS

The script takes the base64-encoded text and decodes it into a plist file. It then places this plist file, called"com.apple.pyapple.plist”, in the user’s LaunchAgents directory, enabling the malware to run at reboot. Upon initially running, the script’s path is injected into the plist where the string [pyscript] is used as a placeholder.

Plist created by the Guard.py script

The script looks for a config file called ~/.appdata/grconf.dat and reads in the contents between the magic header,“*grds*", and the magic footer, "*grde*".

Finding the magic header and footer

As we've seen with this particular cross-platform Trojan, it is becoming clear that malware authors are targeting macOS alongside operating systems such as Windows. This is a good reminder that as mac devices continue to increase in popularity, attackers will adapt their tooling to ensure they can reach more victims.

Jamf Protect message box detecting and preventing the OS X.WildPressure malware

Jamf Protect’s Threat Prevention detects and prevents anytime this malicious script, as well as, many others are executed. In the past, Apple has informed developers that Python will not come pre-installed in a future version of macOS.

This move by Apple will assist in hindering malware families that are primarily written in (or include) Python. Some past examples of these families are GravityRAT, Bella, EvilOSX, Empyre and some variants of Shlayer and Pirrit.

Contact us to start your free trial, or get more information on Jamf Protect today.

Stuart Ashenbrenner
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.