Mac users are often told that they don’t need antivirus software, because there are no Mac viruses. However, this is not true at all, as Macs actually are affected by malware, and have been for most of their existence. Even the first well-known virus—Elk Cloner—affected Apple computers rather than MS-DOS computers.
In 2018, the state of Mac malware has evolved, with more and more threats targeting these so-called impervious machines. We have already seen four new Mac threats appear. The first of these, OSX.MaMi, was discovered on our forums by someone who had had his DNS settings changed and was unable to change them back.
The malware that was discovered on his system acted to change these settings and ensure that they remained changed. Additionally, it installed a new trusted root certificate in the keychain.
These two actions are highly dangerous. By redirecting the computer’s DNS lookups to a malicious server, the hackers behind this malware could direct traffic to legitimate sites, such as bank sites, Amazon, and Apple’s iCloud/Apple ID services, to malicious phishing sites. The addition of a new certificate could be used to perform a “man-in-the-middle” attack, making these phishing sites appear to be legitimate.
Thus, this malware was likely interested in using phishing sites to steal credentials, although we don’t know what sites were targeted.
The second malware was discovered via research into nation-state malware, called Dark Caracal, by Lookout. The report mentioned a new cross-platform RAT (remote access tool, aka backdoor), which it called CrossRAT, which is capable of infecting Macs, among other systems. This malware, written in Java, provided some basic remote backdoor access to infected Mac systems. Although not very complete, this malware was only a version 0.1, indicating that it is probably in an early stage of development.
Although Macs no longer come with Java preinstalled, and haven’t for years, it’s important to keep in mind that nation-state malware is often crafted and used with some knowledge of the target(s) in mind. The targets intended to be infected with this malware may have had reason to install Java, or it may have been installed via physical (or some other) access by a hacker targeting specific individuals.
The next piece of malware was named OSX.CreativeUpdate, and was originally discovered through a supply chain attack involving the MacUpdate website. The MacUpdate website was hacked, and the download links for some popular Mac apps, including Firefox, were replaced with malicious links.
To read the original article: