Trojan horses, backdoors, stealers and fraudulent applications are now part of the landscape of Apple users.
There is a common misconception that there is no real malware for Mac or iPhone. Because even if Apple machines are renowned for their security, they are not immune to malware or attacks. We remember, for example, Gold Pickaxe, this Trojan horse that steals your face to siphon your banking data.
French Mac OS security company Intego lists recent trends and specific examples of malware and potentially unwanted applications (PUAs) to warn Mac users, who have been unable to protect themselves since Apple no longer allows antivirus apps in the iOS App Store.
The most common: backdoors, Trojan horses and infostealers
In early 2024, researchers warned of an Advanced Persistent Threat (APT) malware called SpectralBlur, attributed to Bluenoroff, a North Korean APT group. SpectralBlur is a backdoor that allows a remote threat actor to exfiltrate data, download additional code to add functionality, and take full control of an infected Mac.
At the same time, a large campaign was observed to distribute a backdoor for Mac called “Activator”. This malware is a Trojan horse that claims to “activate” a pirated application obtained illegally via BitTorrent. If a victim runs the Activator app, it installs a backdoor that can attempt to steal cryptocurrency wallets and allow a malicious actor to send commands remotely.
Another Mac backdoor family is RustDoor, which was first released around October or November 2023 via Trojans disguised as job postings. RustDoor is designed to collect data from a victim’s Mac and exfiltrate it to a command and control (C&C or C2) server. We owe these ransomware to the infamous ALPHV, BlackCat or Noberus gang.
Called infostealers, they are thief malware and they are also widespread between January and March 2024. This malware is designed to collect and exfiltrate sensitive data from a victim’s computer, including passwords, browser autofill data, session cookies, and cryptocurrency wallets.
A recent Atomic macOS Stealer (AMOS) malware distribution campaign was observed, where the threat actors paid for sponsored ads to gain the top position in Google search results.
Hosted by App Store: Fake Crypto Apps and Hacks
The Apple App Store continued to host fraudulent and illegal content despite itself throughout the year. Among them, a fake LastPass Password Manager application, designed to steal victims’ passwords. It was reported by users and was eventually removed from the App Store.
Two fraudulent cryptocurrency financing apps, Curve Finance and Rabby Wallet, have also been reported. And since the bigger the better, these corrupted applications used the real names and logos very similar to those of the publishers of the original applications. This is how the fake Rabby Wallet application stole more than $100,000 from victims who fell for this almost carbon copy. Fake crypto apps usually ask victims for their secret recovery phrase (the backup of all private keys stored in the crypto wallet) and then dump all their assets.
Apple also unknowingly approved a fake PancakeSwap cryptocurrency app in the App Store, at least 3 times. Another counterfeit crypto app, “Leather Wallet & Hiro Bitcoin,” also reported to have stolen over $120,000 worth of cryptocurrency from a single victim.
In February, a corrupt DMG file containing a malicious AppleScript application called “Updater” was discovered. This application, when executed, installs a LaunchDaemon to run every time an infected Mac restarts, giving the hacker full access.
At the same time, a malware campaign was reported where invitations via Calendly were sent to people interested in technologies like blockchains and crypto. These prompts can trick the user into executing malicious AppleScript. Additionally, a data leak called iSoon revealed information about custom malware for Mac and iPhone.
To make matters worse, Apple also began allowing movie and TV piracy apps in the App Store in March. The first app that made headlines ranked second in the Entertainment category and eighteenth in the Top Free category on the US App Store.
It’s possible that Apple directly profited from this app, which contained in-app purchases that were supposed to remove ads or allow the user to “tip” the developer.
On March 25, the researcher who discovered the first piracy app also found two other apps distributing pirated content. Then, on March 28, he discovered three more. While Apple has since removed the duo, the trio of hacking apps can still be found in the App Store as Intego publishes its report.
Although hijacking apps are not necessarily malware, they are considered potentially unwanted applications (PUAs) due to their specific design to break laws and the questionable ethics of the developers.
Source : Intego
0