MacOS is Increasingly Targeted by Threat Actors | Intel 471 Skip to content

MacOS is Increasingly Targeted by Threat Actors

Aug 12, 2024
Background

Apple computers have been regarded by some as more secure than Windows. This perception is due to several factors. One aspect of Apple’s clever marketing campaign from 2006 to 2009 emphasized that its desktop computers were not troubled by malware aimed at the Windows ecosystem. Fewer security researchers specialize in macOS versus Windows, resulting in more issues discovered affecting Windows machines. Also, malware writers tend to focus on Windows because it’s a much larger pool of potential systems to compromise. As of April 2024, Windows had a market share of about 72% compared to about 15% for Apple. Apple’s share is higher in the small to medium-sized enterprise (SME) vertical, which was about 22.4% as of February 2024. Apple maintains a robust security program, but like all software, vulnerabilities have been discovered and exploited in macOS and it still is targeted by malware developers. We’ve observed increasing interest in macOS from threat actors, a trend that could be the result of increased use of macOS across organizations.

From January 2023 to July 2024, we observed more than 40 actors targeting macOS devices. In 2023, 21 actors were interested in malware for macOS, with some looking for services to distribute macOS malware. From January 2024 to July 2024, we observed 21 actors targeting macOS users, which suggests actors increasingly are attempting to target Apple devices.

Fig1
This chart depicts threats that impacted macOS devices from January 2023 to July 2024.

Malware

Historically, most malware variants were developed to target the Windows operating system (OS). However, as macOS adoption rises, so too does the number of malware variants designed to profit from it. Open sources report that malware targeting macOS has increased. Patrick Wardle, the creator of the Mac security website and tool suite Objective-See, wrote that new macOS malware doubled in 2023 compared to 2022.

Infostealer malware

Wardle wrote that the most common type of new macOS malware in 2023 was information-stealing aka infostealer malware, with the Group-IB cybersecurity firm noting a fivefold increase in underground sales related to macOS infostealers. Infostealers have become one of the predominant drivers of breaches and cybercrime. These malware programs collect login credentials, session cookies and other sensitive data from infected computers. The data is then sold on cybercrime forums, often as part of large batches known as “logs.” This data is purchased by cybercriminal actors, ransomware groups and others seeking to infiltrate organizations. Infostealers were cited as one of the predominant causes of data breaches for users of Snowflake’s data warehousing services. Google’s Mandiant said all of the investigations it conducted related to the breaches were traced to infostealers that had captured credentials of clients that had Snowflake accounts.

We have observed some threat actors conducting research on the demand for macOS stealers. For example, in May 2023, the actor callisto asked if users were interested in “a stealer with RedLine functionality targeting macOS systems” and sought their thoughts on potential features and pricing. RedLine was the most frequently downloaded malware in 2023, although its dominance has declined in 2024.

Fig2
A threat actor sought to understand market demand for an infostealer similar to RedLine but for macOS.

One of the most popular macOS stealers offered in the underground is Atomic Stealer aka Atomic MacOS Stealer, AMOS. Atomic Stealer was first spotted in March 2023 and is offered on a malware-as-a-service (MaaS) basis on multiple forums by the actor Atomic MacOS Stealer. Similar to other stealers, Atomic Stealer is designed to collect credentials from major browsers and cryptocurrency wallet data from macOS devices. The Malwarebytes antivirus software company previously reported two Atomic Stealer malware advertising (malvertising) distribution campaigns in September 2023 and November 2023. In July 2024, Malwarebytes observed another Atomic Stealer malvertising campaign that leveraged a fake Google advertisement for Microsoft’s Teams software.

Fig3
This image depicts a screenshot of the AMOS log the actor Atomic MacOS Stealer provided on the Coockie forum March 14, 2023.

Additionally, in early April 2024, we reported the actor Baptist offered to provide malvertising with domain name spoofing on the Google Ads and Microsoft Ads platforms. The actor claimed to operate multiple infostealers, including Atomic Stealer, to target macOS and Windows OSs. The actor also offered to distribute malware phishing pages and sought to work with operators of fully undetectable (FUD) malware with hidden virtual network computing (HVNC) functionality.

We also observed multiple actors operate or advertise other infostealers targeting macOS users. In June 2023, the actor codehex advertised a macOS stealer dubbed ShadowVault. The malware was designed to collect sensitive data from a variety of Chromium-based browsers, files stored on compromised computers and data from cryptocurrency wallets. It also has a feature that involves signing the malicious software's build with an Apple developer's signature. ShadowVault was offered under the MaaS model at a monthly price of US $500. In April 2024, the actor QuarkLab offered a MaaS dubbed Quark Lab, which includes a drainer and infostealer targeting macOS users. The malware could be used to extract Keychain passwords as well as data from cryptocurrency wallets and popular browsers on victims’ machines. The malware was offered for US $3,000 per month.

In the first half of 2024, several actors sought traffic providers or offered to distribute a macOS stealer for a share of the profits. In March 2024, the actor Golova666 claimed to have access to a large number of corporate European Union (EU) and U.S. MacBook devices and sought partners to cooperate with on a profit-sharing basis. The actors QuanticDream and XRetired were interested in experienced Google Ads traffic providers to launch spreading campaigns using undisclosed macOS infostealer malware. Both actors were ready to offer partners shares of the profits, while XRetired stated a negotiated fixed cut was possible.

Trojan malware

Remote access trojans (RATs) also have been used extensively to target macOS devices. In 2020, we reported the actor TooMuchNetworks claimed to operate a private macOS RAT and sought partners who could provide macOS malware installs. The actor did not provide any details about the malware but stated it has a "wide spectrum of features.”

Additionally, in February 2024, security researchers identified a new macOS backdoor that possibly was connected to the Black Basta and now-defunct ALPHV ransomware groups. The Bitdefender security company identified the malware as Trojan.MAC.RustDoor. It was written in the Rust programming language and was designed to exfiltrate documents with specific extensions and sizes from the Documents and Desktop folders — as well as the notes of the user — stored in SQLITE format, copy to the destination hidden folder and send to the attacker’s command-and-control (C2) server. The researchers discovered three of four C2 servers previously were associated with Black Basta and ALPHV ransomware operators, although there was insufficient evidence to confidently attribute this campaign to a specific threat actor.

Ransomware

Threat actors increasingly are recognizing the value of Apple users’ data, and the appearance of macOS ransomware raises concerns since it demonstrates threat actors seeking new avenues to compromise Apple users. Although most ransomware variants are not specifically designed for macOS, threat actors have attempted to develop ransomware strains capable of affecting Apple devices. According to research conducted by Moonlock, the cybersecurity wing of MacPaw, ransomware and RATs accounted for about 15% of all the malware used to target macOS users in 2023.

In late 2023, security researchers analyzed new macOS ransomware dubbed Turtle, which allegedly was named by its author and was written in the Go programming language. The ransomware was not attributed to a specific threat actor but it included multiple strings written in Chinese. The analyzed sample, however, was not sophisticated enough to pose a serious threat to macOS users at that time. The malware used an ad hoc signature and was not notarized by Apple, making it difficult to bypass Gatekeeper technology, which reviews apps to see if they have been signed or notarized by Apple. Moreover, since encryption was performed using a Go cryptography/advanced encryption standard (AES) library, it was quite trivial to pick up the ransomware key with a carefully placed breakpoint, according to an Objective-See blog post. We also reported cybercriminals offering ransomware development services for threat actors targeting macOS users.

Some ransomware groups also attempted to modify or enhance malware variants to make them capable of affecting Apple and macOS devices. In April 2023, the Bleeping Computer information and technology news site reported the LockBit ransomware gang created encryptors to target Apple Mac devices. The cybersecurity researcher or researchers using the X, formerly known as Twitter, account MalwareHunterTeam reportedly discovered the new encryptors in a compressed (ZIP) archive on the VirusTotal intelligence platform that allegedly contained most of the available LockBit encryptors. The LockBit gang is known to attack Windows, Linux and VMware ESXi servers, however, the archive discovered on VirusTotal also contained previously unknown encryptors for FreeBSD and macOS OSs, as well as ARM, MIPS and SPARC processors. One of the encryptors named “locker_Apple_M1_64” allegedly targeted newer Macs running on Apple Silicon, but Bleeping Computer reported the archive also contained lockers for PowerPC CPUs used by older Mac devices. Additional research revealed the encryptors likely were not ready for deployment in attacks and instead appeared to be test builds. In May 2023, we reported the Knight aka Cyclops ransomware-as-a-service (RaaS) affiliate program, which was updated and rebranded as the RansomHub RaaS in February 2024, also offered a ransomware strain to target macOS.

Vulnerabilities

Apple vulnerabilities are highly sought-after by threat actors. We reported 69 vulnerabilities impacting multiple versions of macOS from March 2020 to July 2024.

Fig4
The graph depicts the number of vulnerabilities impacting macOS reported from March 2020 to May 2024 according to their risk level.

Some high-risk vulnerabilities include:

CVE-2023-41993: An unspecified vulnerability impacting multiple versions of Apple macOS Sonoma, Apple iOS and iPadOS, and Apple Safari. Apple and security researchers with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) claimed the vulnerability was actively exploited in the wild. Additionally, CVE-2023-41993 likely was weaponized and leveraged as part of an exploit chain to deploy Cytrox's Predator spyware.

CVE-2023-41064: A buffer overflow vulnerability impacting Apple iOS 15.7.8 and iPadOS 15.7.8 and earlier, Apple macOS Monterey versions 12.6.8 and earlier, Apple macOS Big Sur versions 11.7.9 and earlier, Apple iOS versions 16.6 and iPadOS versions 16.6 and earlier, and Apple macOS Ventura versions 13.5.1 and earlier. Apple and security researchers at CISA claimed to be aware of the vulnerability being actively exploited in the wild. Additionally, security researchers claimed CVE-2023-41064 was exploited in the wild in conjunction with CVE-2023-41061 to distribute the NSO Group's Pegasus mercenary spyware. If executed correctly, this exploit chain has the capability to compromise the system without requiring any interaction from the victim.

CVE-2022-32893: An out-of-bounds write vulnerability impacting Apple macOS Monterey 12.5 and earlier, Apple watchOS versions 8.7.1 and earlier, Apple iOS versions 12.5.5 and earlier, and Apple iOS versions 15.6 and iPadOS versions 15.6 and earlier. An exploit was advertised in the underground. Apple claimed to be aware of the vulnerability being actively exploited in the wild. The actor oDmC3oJrrSuZLhp offered to sell an exploit on the XSS forum for 2.5 million euros (about US $2.7 million) and offered to work through an escrow. Additionally, several actors shared information from open source reporting.

CVE-2021-30858: A use-after-free vulnerability impacting Apple macOS Big Sur versions 11.5.2 and earlier, Apple iOS versions 14.7.1 and iPadOS versions 14.7.1 and earlier, and Apple Safari versions 14.1.1 and earlier. A proof of concept (PoC) was observed in open source. Apple claimed to be aware of the vulnerability being actively exploited in the wild.

Assessment

MacOS still significantly lags behind Windows by overall OS market share. This has — and continues to be — the biggest deterrent to actors seeking to spend resources developing malware. However, the Windows market is saturated and continues to be dominated by several threat actors who established themselves within the malware domain for many years. As such, the macOS market represents an opportunity for actors to capitalize on the lack of competition, and given the upward trajectory of macOS, a chance to establish a brand during a time of relevant market freedom. This trend already has begun to materialize, as seen by the number of macOS offers identified in both 2023 and early 2024. Two of the most common malware threats impacting macOS devices are infostealers and RATs, likely due to threat actors seeking to cash in on the lucrative access market. However, the threat landscape is an interconnected ecosystem and the biggest needle mover is ransomware. Without a slew of credible ransomware groups and builds, the growth of the macOS malware market likely will be incremental. Nevertheless, despite the high quality of Apple products, they are not infallible. Mac users should stay vigilant for a variety of threats as actors increasingly explore new and more sophisticated ways to infiltrate their systems.