The Mac Malware of 2020

A comprehensive analysis of the year's new malware.

January 6 2021 by

Patrick Wardle

In this report, we focus on new Mac malware specimens or new variants that appeared in 2020. Adware and/or malware from previous years, are not covered. However at the end of the PDF, I’ve included a brief section dedicated to these other threats, that includes links to detailed write-ups.

For each malicious specimen covered in this post, we’ll identify the malware’s:

Infection Vector: How it was able to infect macOS systems.

Persistence Mechanism: How it installed itself, to ensure it would be automatically restarted on reboot/user login.

Features & Goals: What was the purpose of the malware? a backdoor? a cryptocurrency miner? or something more insidious…

Also, for each malware specimen, I’ve added a direct download link in case you want to follow along with our analysis or dig into the malware more!

I’ll reference various tools used in analyzing the malware specimens.

These include:

Objective-See's user-mode (open-source) utility that monitors process creations and terminations, providing detailed information about such events.

Objective-See's user-mode (open-source) utility monitors file events (such as creation, modifications, and deletions) providing detailed information about such events.

Objective-See's (open-source) utility that displays code-signing information, via the UI.

Objective-See's (open-source) network monitor.

The de-facto commandline debugger for macOS. Installed (to /usr/bin/lldb) as part of Xcode.

Hopper Disassembler
A “reverse engineering tool (for macOS) that lets you disassemble, decompile and debug your applications” …or malware specimens!

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.