Are Macs safe? Threats to macOS users

Are Macs as safe as their owners think they are? A few recent stories about malware targeting macOS users.

Is macOS as secure as its users think?

Many Apple users believe the macOS operating system is so secure that no cyberthreats can harm them, so they don’t need to worry about protecting their devices. However, this is far from the case: while there is less malware for macOS, it’s still much more common than Apple device owners would like to think.

In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.

BlueNoroff attacks macOS users and steals cryptocurrency

In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.

The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.

BlueNoroff/RustBucket: decoy PDF cover page

Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source

Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.

Proxy Trojan in pirated software for macOS

In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.

As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.

Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.

Atomic stealer in fake Safari browser updates

Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.

The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.

Fake Safari browser updates with the stealer Trojan inside

A site with fake Safari browser updates that actually contain the Atomic stealer. Source

Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:

  • cookies
  • logins, passwords, and bank card details stored in the browser
  • passwords from the macOS password storage system (Keychain)
  • files stored on the hard drive
  • stored data from over 50 popular cryptocurrency extensions

Zero-day vulnerabilities in macOS

Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.

Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.

This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.

A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.

Zero-day vulnerabilities in iOS and macOS: CVE-2023-42917, CVE-2023-42916, CVE-2023-42824, CVE-2023-41993, CVE-2023-41992, CVE-2023-41991, CVE-2023-41064, CVE-2023-41061, CVE-2023-38606, CVE-2023-37450, CVE-2023-32439, CVE-2023-32435, CVE-2023-32434, CVE-2023-32409, CVE-2023-32373, CVE-2023-28204, CVE-2023-28206, CVE-2023-28205, CVE-2023-23529

Zero-day vulnerabilities in macOS, iOS, and iPadOS discovered in 2023, which were actively exploited by cybercriminals

Other threats and how to protect your Mac

What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:

  • Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
  • Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
  • Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
  • Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.

To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.