In this report, we focus on new Mac malware specimens or new variants that appeared in 2020. Adware and/or malware from previous years, are not covered. However at the end of the PDF, I’ve included a brief section dedicated to these other threats, that includes links to detailed write-ups.
For each malicious specimen covered in this post, we’ll identify the malware’s:
Infection Vector: How it was able to infect macOS systems.
Persistence Mechanism: How it installed itself, to ensure it would be automatically restarted on reboot/user login.
Features & Goals: What was the purpose of the malware? a backdoor? a cryptocurrency miner? or something more insidious…
Also, for each malware specimen, I’ve added a direct download link in case you want to follow along with our analysis or dig into the malware more!
I’ll reference various tools used in analyzing the malware specimens.
Objective-See's user-mode (open-source) utility that monitors process creations and terminations, providing detailed information about such events.
Objective-See's user-mode (open-source) utility monitors file events (such as creation, modifications, and deletions) providing detailed information about such events.
Objective-See's (open-source) utility that displays code-signing information, via the UI.
Objective-See's (open-source) network monitor.
The de-facto commandline debugger for macOS. Installed (to /usr/bin/lldb) as part of Xcode.
A “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your applications” …or malware specimens!