Three pervasive myths about Macs that you can find in almost any online discussion about security and macOS are “Macs are safe by design”, “Macs are not numerous enough to be of interest to malware authors” and (consequently) “there’s no real malware threats out there for macOS”. We’ve talked about the weaknesses in macOS security on a number of previous occasions, and we’ve also talked about some of the common and not-so-common threats that are out there in the wild, too.
But as I’ve noted in the past, the view of security researchers and the views of those opining on social media are often at odds simply because the latter are speaking from their own experience and don’t have the overview that researchers have. SentinelOne protects hundreds of thousands of Macs and our telemetry paints a very clear picture, a picture that has changed vastly even in the last two to three years. But people can only argue from what they know, so let’s share a little knowledge. How do Macs really get infected? Let’s count the ways.
1. Self-inflicted Damage? Cracks, Pirates and Porn
A common argument among those who grudgingly admit there might be a “minor” problem of malware on macOS is that it is only users engaging in “risky behaviour” that are susceptible to malware, and (for some often unstated reason) this doesn’t count as a “real” problem. This argument is often swiftly followed by the claim that had these users only followed “Apple’s advice”, or “common sense” or some other prescription about what users should and should not do on a computer, then they would not have ended up with malware on their (or their company’s) Macs. The fact they didn’t do the former and ended up with the latter? Well, “only themselves to blame”.
I believe such moralizing hinders rather than helps the real security effort needed to improve macOS security, not just for this subset of users but for all. I also don’t believe this attitude is representative of Apple itself, if you look at the kind of things that Apple’s own security tools try to detect. Rather, this is the view of a certain vociferous subsection of Apple enthusiasts.
However, before we get further into that, let’s first take a look at the kind of threats we’re talking about here.
Those that frequent torrent sites in search of free access to copyrighted material – from books and TV series to blockbuster movies and proprietary software – share something in common with those that frequent adult entertainment sites (regardless of whether they are or are not the same users): they are disproportionately likely to expose themselves to macOS malware.
Take this Torrent user’s offerings, for example.
As they say on TV, “don’t try this at home, folks!” Taking the first offering in the list, the Adobe Photoshop DMG unpacks to contain both the genuine software, a patch for it, and a hidden cryptominer.
In another example, a number of easy-to-find websites offer “cracked” versions of popular apps, including another Adobe Zii crack. Here’s one:
Clicking on the link for the Adobe Zii 2020 5.2.0 Universal Patcher appears to provide a disk image for the same software.
However, after mounting the image we find no application at all, just a single mach-O file called “AdobeFlashPlayer”.
A quick lookup of the hash on VirusTotal confirms that it’s malware.
0d5b129d4e4f1da8847b4579cc8c4f59e12c17effa924bb2624983f0ade51ba4
Yet another site offers a crack of popular video and screencast editing software Camtasia, among many other paid-for applications. In case you know someone tempted, point them to the following sobering reality:
Downloading the DMG we find it contains an “Install” file; this time, neither an App bundle or a mach-O, but an obfuscated shell script.
And, of course, that’s malware, too.
Blaming Users Is No Way To Do Security
Regardless of the source of the infection or the payload delivered, in all these cases the user behaviour has one thing in common: each is attempting to find or obtain some premium product (or service) without paying for it. Knowing this, malware authors lure victims with promises of expensive or popular software and infect them with malware, usually instead of, but sometimes as well as, providing whatever was promised in the lure.
Are these users to blame for their own cheap skating, IP-stealing ways? There’s certainly no argument here that this kind of behavior shouldn’t be condoned and those guilty of actually stealing IP should be sanctioned by the appropriate authorities where possible. But playing the blame game ignores, rather than solves, the security issue. If users are committing crimes, surely we want them to be punished in appropriate ways by the proper authorities, not by malware authors?
More importantly, dismissing victims of supposed ‘self-inflicted’ cyber crime ignores the reality that the damage done by such malware can both have consequences far greater than the supposed ‘crime’ (you tried to steal a $99 software and lost your credit card credentials) and also can collaterally affect other users on the same device or network, a particular worry for enterprises with Mac fleets.
In short, let’s not leave security in the precarious and unreliable hands of moralists, and instead deal with the problem properly: through advanced behavioral AI that can protect such users from themselves, and protect the rest of us from such users.
2. Scamware, Scareware and all the PUPs
Not every user infected with macOS malware was looking to get something they should be paying for on the cheap. Some users are looking for genuine software to solve a problem, but they will rapidly encounter all kinds of sites with misleading cues and confusing download buttons, particularly if they are using a browser without some kind of advertising or pop up blocker.
A common source of scareware pop ups is product review sites, many of which are fake and lead consumers on a merry-dance through several links before throwing the inevitable alert claiming something like “Adobe Flash Player is out of date” or “Your Mac is infected with a virus”.
Similarly, many such sites are littered with malvertising, with flashy graphics or annoying gifs with fake “Close” button lures which, after a few redirects, end up in a predictable pop-up like the one below. In this example, the ‘Later’ button re-pops the alert while the ‘Install’ button treats the user to one variant or another of OSX.Shlayer.
3. Search and (Be) Destroy(ed)
Even without visiting such sites, general Internet searches for macOS-related content can turn up results with JavaScript redirection to fake App Store pages that deliver Shlayer malware, adware or PUP installers.
In this example the user conducts a search via Google for “Can You Expand A Dmg Without Mounting?” Among the the first page hits is this one, hosted on weebly.com:
hxxps://newsletternew979[.]weebly[.]com/can-you-expand-a-dmg-without-mounting[.]html
When the referrer is Google.com, the above site uses Javascript to replace the original content with a fake App Store and download links to OSX.Shlayer malware.
The site is scripted such that if the user follows a direct link or comes from another search engine, no redirection occurs. However, when the user is referred from Google, the original content is replaced with the fake App Store and the lure to download the malware.
4. Phishing, Targeted Attacks and…Ransomware?
And all this is without mentioning the actual malware campaigns that are directly aimed at Mac users. In the last 18 months or so, we’ve seen the return of OSX.Dok, unknown actors behind the GMERA malware campaign and plenty of Lazarus/AppleJeus campaigns targeting cryptocurrency exchanges and crypto wallet users to name just a few.
Only this week a well-known Remote Access Trojan/Backdoor from the Windows world (Dacls RAT) with links to Lazarus APT was discovered to have a macOS variant.
There is also evidence that the ransomware plague which so far has spared macOS users may be coming our way soon as ransomware-as-a-service vendors like SMAUG begin to offer Mac-compatible malware. At present, we have yet to see this particular threat active in the wild or validated it for it’s efficacy against Mac targets, but the fact that such offerings are being made suggests cyber criminals are aware of the value of infecting macOS users: “Don’t leave money on the table by focusing only on Windows”, the message states.
But…Apple Have Your Back, Right?
Although you can find many Apple enthusiasts and social media “influencers” still denying that there is a malware problem on macOS, you won’t find anyone from Apple sharing that view (if you can find anyone from Apple to share a view, that is…).
Joking aside, Apple are well aware of the problem and as we’ve pointed out before, have admirably stepped up their attention to security in the last 12 to 18 months. XProtect and MRT.app are now regularly updated, and there’s no doubt that they are both far more comprehensive than they’ve ever been before. Indeed, I’ve even written about how to keep up with Apple’s security updates myself as a means of threat research.
That said, the issue now is not so much that Apple isn’t working hard to protect the platform as that the current tools on the platform are simply not up to the job. They are built on old technology – Yara Rules, path lists, code signing certificates – that require having already seen a threat before writing a signature to stop it.
Conclusion
Malware is a growing problem on macOS. It certainly isn’t as big a problem as it is on the Windows platform, but it’s way past the point where anyone with any reasonable knowledge of what’s going on in the wild would deny it.
Yes, users are sometimes culpable, and sometimes gullible; but burying our collective heads in the sand and assuming that if we can’t see macOS malware it can’t see us will only serve to exacerbate the problem. It’s been proven beyond argument that no matter the platform, the only effective way to do enterprise security is to stop chasing malware samples and start detecting malware behaviors. If you’d like to see how SentinelOne can help protect your enterprise, contact us today or request a free demo.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read more about Cyber Security