Mac malware from Iran targeting US defense industry, human rights activist

The malware has been poorly developed yet undetected on VirusTotal.

There was a time when users believed that Mac machines are safe to be used since Apple’s security features are second to none in the market. However, the notion is about to change. According to the analysis of two security researchers Claudio Guarnieri and Collin Anderson, there is a Mac-based malware dubbed as MacDownloader that is apparently being used by Iranian hackers to launch attacks against the US defense industry and human rights communities, especially those focused on Iran.

They managed to identify the malware while researching cyber spying and surveillance activities of Iranian hackersThe researchers discovered this malware on an unauthentic US aerospace firm United Technologies’ website. The same site was used previously in another spear phishing email hack attack, but at that time it targeted Windows-based systems. During that campaign, researchers also identified involvement of Iranian hackers.

Must Read: 11 easy tips to secure your Mac against hackers

The malware is easily available for download via an Adobe Flash Installer and interested downloaders can choose from getting either Windows-based or Mac-based version. The malware is designed to spy on the targeted computer and obtain important credentials. To perform its task, the malware generates fake system login boxes, which it collects from Keychain, the password management system of Apple Inc. Researchers claim that the malware is not of superior quality and seems like the work of an “amateur developer.”

United Technologies targeted by Iranian malware

They were able to drive this conclusion because when the malware is installed, it creates a fake Adobe Flash Player dialog box just to announce that adware has been discovered on the computer and it can clean it up.

Researchers claim that these dialog boxes are full or “typos and grammatical errors,” which hints at the fact that the developer(s) didn’t pay enough attention to the quality of the malware at all. Moreover, malware cannot run a script to download other malware to the infected Mac. Still, the malware is regarded as a threat since it evaded detection from the antivirus scanning and aggregating engine VirusTotal.

Also Read: Iran’s Shamoon malware haunting Saudi Arabia again

The involvement of Iran was proven through circumstantial evidence; such as researchers discovered an exposed server uploaded by macDownloader that displayed names of wireless networks, which belonged to Iranian hacker groups. These systems included “Jok3r” and “mb_1986.” One of the networks’ associated hacker uses the name, Flying Kitten. This particular hacker is known for targeting US political dissidents and US defense contractors.

In their report, researchers noted that: “While this [malware] is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers.”


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Newest Sales

Written by Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'