Mac Archives - Defence Intelligence Blog

More Mac Malware Thus Far in 2017 Than Any Other Year

With more than 4 months to go before the year ends, this year has already seen more Mac specific malware than any other. Is this finally the end of Mac OS’s reputation as relatively virus-free?

Obviously, Macs have never been totally virus-free. Compared to Windows malware however, the amount of Mac targeted malware has always been minimal. This has largely been due to the substantially smaller market share of Mac OS X. With far fewer users to target compared to Windows, malware creators didn’t have enough incentive to develop as many viruses for Apple’s personal computing platform.

Interestingly, this year has been quite different in regards to Mac malware activity. According to Malwarebytes, not only was there a 230% year-on-year increase in Mac malware last July, the first half of 2017 has already seen more Mac malware than all of 2016 or indeed, any other year. While we’re accustomed to seeing more malware year after year, Mac focused malware is a bit different.

Could the significant uptick in Mac malware due to a corresponding increase in user base? Not really. In fact, OS X market share hasn’t changed significantly since last year.

Malware in the App Store

What makes this surge even more alarming is that a significant amount of malware has managed to invade even the App Store. Apple is known to be very thorough in screening the applications that make it to the Mac App Store.

They review each app for objectionable content, acceptability, app completeness, hardware compatibility, intellectual property, spam, ability to inflict harm, and a host of other criteria. Apple has even been quick to pull apps from the store if they’re later found to be problematic.

Apple touts the App Store as the safest place to download apps and many users believe that to be wholly accurate. This false sense of security leaves them more vulnerable to attacks as they are perhaps not as vigilant or discerning as they might be on another platform.

Proton RAT leads off 2017 surge

One of the biggest threats to emerge this year was a RAT (Remote Access Trojan) known as OSX.Proton.B or simply Proton. Being a RAT, Proton takes the form of a legitimate application accompanied by a back door that provides administrative control to a victim’s system.

During one campaign, Proton handlers were able to modify Handbrake, an app built to convert video files. Proton’s handlers infiltrated one of Handbrake’s download mirrors, enabling them to replace the app’s DMG file with a modified version infected with Proton code.

Once the compromised application is installed onto a victim’s device, the Proton RAT kicks in. Proton can carry out several malicious acts, including: recording keystrokes, stealing passwords, controlling the webcam, allowing remote access, and gaining access to the user’s iCloud account.

Proton can be installed surreptitiously because the malware uses genuine Apple code-signing signatures. This allows it to bypass Apple’s Gatekeeper, an OS X feature that blocks apps if they aren’t digitally signed using a valid Apple Developer ID.

Proton’s existence was uncovered when researchers from cyber security firm Sixgill chanced upon a post on a notorious Russian cybercrime message board. The post introduced Proton as the “Newest and only macOS RAT in the market.” Originally priced at approximately 100 BTC (bitcoin), which was equivalent to about $100,000 at the time, Proton was out of reach for most.

Findzip Ransomware

Another piece of Mac malware that emerged this year is Findzip. Ransomware has been gaining a lot of notoriety lately, so people in the Mac community were rightly alarmed upon learning that one of the the biggest malware threats in the world today is now right on their doorstep.

Findzip is usually disguised as a crack for either Adobe Premier Pro or Microsoft Office. Being a crack, it doesn’t go through the normal Mac application installation process. People who use cracks typically employ workarounds to bypass Apple’s security measures meant to prevent the installation of malicious programs. Of course, the use of these workarounds plays right into the hands of Findzip’s operators.

Unlike Proton, Findzip isn’t digitally signed using an Apple-issued certificate. As such, it will be considered as coming from an unidentified developer, marked with a ‘quarantine’ flag, and ultimately denied installation. Well and good, but that doesn’t stop Findzip from getting through.

Normally, apps that aren’t downloaded from the App Store, are downloaded through a Web browser. Some popular web browsers are designed to identify the quarantine flag as well as invalid signatures- so if a user attempts to open such a DMG file, the system will prevent the file from being opened.

Alas, people who want to install cracked applications and other pirated software don’t go down that route. Instead, they download files through alternative means, usually torrents. Torrent clients don’t set the quarantine flag when they download a file. Thus, when the user opens the DMG file, the system won’t be able to do anything about it.

It’s comforting to note however that 1) Findzip will not be able to affect users who download apps through legitimate means and 2) it’s now easy to find tools or methods for decrypting files encrypted by Findzip. In fact, if you google for ‘findzip ransomware’, the first search results actually point to removal/remediation solutions, and not just information about the malware itself.

Flashback to Flashback?

The last time there was a surge of Mac malware activity of this magnitude was in 2011-1012, when the Flashback Trojan struck. Flashback was said to have infected about 600,000 Macs then. That number amounted to more than 1% of the total number of Macs at that time.

Taken individually, none of the Mac malware detected this year appear to have infected as many devices as Flashback. The Flashback outbreak remains the largest Mac-based malware outbreak in history, but 2017 shows a disturbing trend that all Mac users should pay close attention to.

If you’re like me, you are at best mildly curious to see what Apple unveils in Flint, MI, tomorrow. At worst, you’re dreading the onslaught of Apple news, commentary, and reactions. If the rumours about the iWatch and iPhone 6 are true, tomorrow could be the most annoying launch day in Apple’s history.

It won’t be easy, but it is possible to get through tomorrow without being bombarded.

Don’t turn on the TV. There will be speculation about what will be revealed, what effect it will have and why we should care. I can assure you that it won’t be all that interesting.
Do not turn on your radio on the way to work. If you still listen to traditional radio in your car, now might be a good time to look into streaming services, satellite radio, mix tapes, audio books, meditation, anything.
When you get to work, avoid anyone wearing an Apple shirt. Just skirt around them a la Office Space. If they’ve chosen today to show their undying support for a brand, you don’t want to talk to them. Trust me.
Turn off all updates on your phone. Twitter, LinkedIn, Instagram, vine, Facebook, flipboard, all of them Do the same on your computer. Uninstall your browsers if need be. Filter all emails with Apple in the subject line to your junk mail. You may not think that certain feeds will be filled with Apple gushing, but you’ll be wrong.

At some point during the day, someone will probably want to talk to you about an iSomething. I have two surefire strategies for this scenario. For the more casual conversation partner, I suggest a quick change of topics. Ignore the question completely and ask them about something else they care about. How’s your kid doing in softball this year? or You look great, are you exercising? The key here is to sound really excited to talk to them. I’ll leave it to you to decide whether hearing about little Billy’s last home run is better than hearing about how “revolutionary”, “game changing”, or “disruptive” the iWatch will be.

If they have the glazed eyes and sweaty palms of a rabid fan boy, they will need something a little more…jarring. If you can feign a good cry, do it now. Clutch your mouth and start sobbing. Maintain eye contact for a few seconds before running away while flailing your arms. If you can’t cry on demand, I’d substitute an urgent bathroom trip. Key here is a sudden look of surprise mixed with sheer terror. Exit the area immediately with one hand on your stomach and the other on the seat of your pants.

If you can make it through the work day, you should be home free. Just remember to stay away from any sort of live news or comments. It’s not easy, but it can be done. Things should be back to normal in a couple of days. Of course, it may just be easier to call in sick and cocoon yourself in bed until the hysteria subsides. Good luck.

Photos courtesy of theapplecollection.com