There was a time when users believed that Mac machines are safe to be used since Apple’s security features are second to none in the market. However, the notion is about to change. According to the analysis of two security researchers Claudio Guarnieri and Collin Anderson, there is a Mac-based malware dubbed as MacDownloader that is apparently being used by Iranian hackers to launch attacks against the US defense industry and human rights communities, especially those focused on Iran.
They managed to identify the malware while researching cyber spying and surveillance activities of Iranian hackers. The researchers discovered this malware on an unauthentic US aerospace firm United Technologies’ website. The same site was used previously in another spear phishing email hack attack, but at that time it targeted Windows-based systems. During that campaign, researchers also identified involvement of Iranian hackers.
The malware is easily available for download via an Adobe Flash Installer and interested downloaders can choose from getting either Windows-based or Mac-based version. The malware is designed to spy on the targeted computer and obtain important credentials. To perform its task, the malware generates fake system login boxes, which it collects from Keychain, the password management system of Apple Inc. Researchers claim that the malware is not of superior quality and seems like the work of an “amateur developer.”
They were able to drive this conclusion because when the malware is installed, it creates a fake Adobe Flash Player dialog box just to announce that adware has been discovered on the computer and it can clean it up.
Researchers claim that these dialog boxes are full or “typos and grammatical errors,” which hints at the fact that the developer(s) didn’t pay enough attention to the quality of the malware at all. Moreover, malware cannot run a script to download other malware to the infected Mac. Still, the malware is regarded as a threat since it evaded detection from the antivirus scanning and aggregating engine VirusTotal.
The involvement of Iran was proven through circumstantial evidence; such as researchers discovered an exposed server uploaded by macDownloader that displayed names of wireless networks, which belonged to Iranian hacker groups. These systems included “Jok3r” and “mb_1986.” One of the networks’ associated hacker uses the name, Flying Kitten. This particular hacker is known for targeting US political dissidents and US defense contractors.
In their report, researchers noted that: “While this [malware] is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers.”
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.