Mac endpoint protection: Trends in Mac threats

Learn about current trends in the Mac threat landscape, including information on recent malware as well as new techniques seen from adware and PUPs. (In many ways, adware on the Mac is FAR more clever and interesting than malware!)

September 30 2020 by

Haddayr Copley-Woods

According to a recent Malwarebytes study, Mac malware is on the rise, in part due to the rising market share of the Mac in the enterprise. Most analysts fully expect Mac malware to increase in the future, necessitating robust Mac endpoint protection.

Thomas Reed, Director of Mac & Mobile, Malwarebytes, walked JNUC 2020 attendees through what's new (and not so new but still very nasty) in Mac attacks.

The study showed that, based on the number of detections per machine, Macs were getting infected in 2019 almost twice as that in Windows. Mac detections overall for 2019 were about four times higher than for 2018. The vast majority of these were PUPS and adware.

New malware for the Mac

The most common macOS malware is only detected at the rate of 3/10 of a percent of all detections. However, though malware is rare, it can be nasty. It can grab a lot of your data and do a lot of damage to your system. Malware is sneaky and can stay hidden for years, such as Fruitfly, which remained hidden for more than ten years, accessing the web cam and the microphone on people's Macs for extremely nefarious purposes.

OSC.ThiefQuest (originally called EvilQuest)

  • Downloaded in a torrent app.
  • Masquerades as ransomeware, even dropping a ransom note, so that users are left scrambling without realizing that something else entirely is happening
  • Exfiltrates files via HTTP
  • Performs keylogging
  • Viral infection of binaries

OSX.BirdMiner

This is a Monero crypto miner distributed via piracy of audio apps from the VST Crack site and others. It uses XMRig via a Qemu virtual machine, which runs Linux in a tiny shell system.

Lazarus

This North Korean malware also called OSX.Fallchill, OSX.GMERA and OSX.Dacisrate.

It can come in the form of legitimate trojanized apps or fake apps: stock trading apps, crypto currency apps, album apps, one OTP app (which actually worked! But installed malware.) In the past, it's used malicious Word documents with a macro that escaped the sandbox and installed files on the system.

Nasty adware tricks

Malware on macOS is often rather simple and unsophisticated. But adware (browser hijackers, etc.) has become very complex and sophisticated on Macs. It can be as sneaky and as malicious as malware: accessing data, as well as using and causing vulnerabilities.

Modifying Safari

This adware trick makes a copy of Safari in the background and modifies JavaScript files. It then launches with the screen obscured, quits, and deletes the already existing version.

When a user goes into Safari, they will find that settings have been changed. Browser extensions in Safari have been activated without a user's knowledge or permission.

Installing Malicious profiles

These make their way in through the profiles command line utility. They lock Safari and Chrome home page and search settings. Once installed, users can no longer change their own home page or search engine. They are now considered to be 'managed,' even though it wasn't provided by an MDM. There is no API for managing profiles. If you see searchmine.net you need to remove these profiles.

Managed preferences

This trick means that Chrome becomes 'managed;' very similar to sys config profiles (although it happens lot less frequently.) Managed settings can't be changed by the user.

The files responsible for setting these are in /Library/Managed Preferences/, so if you see things you didn't put in there, delete them immediately.

sudoers file changes

This makes changes to the sudoers file to allow continued root access. These changes may create vulnerability:

 someuserALL=NOPASSWD:SETENV:/Users/someuser/Applications/MyMacUpToDate/MyMacUpToDate someuser ALL=(ALL) NOPASSWD: ALL

If someone infected this system and adware had been present and done this, the malware would have zero work to do because it would have root access already.

If you see these in a sudoers file in an endpoint, fix them!

Man in the middle

Man in the middle is generally associated with malware, but adware uses it to inject data instead of to mine it: Intercepting network data to inject ads.

It uses the opensource mitmproxy tool, which is designed to allow admins to debug code, but adware is using it to inject ads, including into .https traffic.

If we detect and remove it when it's installed maliciously, it causes loss of network connectivity. So you still need to go into the network proxy settings and remove all of those settings, and look for unwanted certificates in the keychain that will give attackers opportunity to snoop on your encrypted traffic.

Data collection

Adware can collect all sorts of data. There's even the possibility of exfiltration of your network data. Adware that collects data mines:

  • The unique identifier for the computer
  • IP address
  • User name
  • macOS version
  • Safari version
  • Chrome version
  • A list of everything found in the Applications folder
  • A list of all installed agents and daemons
  • A list of all installed system config profiles
  • The version of the malware removal tool you use, so as to avoid detection.

Adware is some of the most quickly adapted pieces of malware when there's a new version of macOS. We've seen them using all kinds of techniques to get around notarization requirements each time a new version releases.

View more detail and information: watch the entire trends in Mac threats video from JNUC 2020.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.