Fraud Management & Cybercrime , Malware as-a-Service

Mac Malware Threat: Hackers Seek Cryptocurrency Holders

Lazarus Group in Particular Using Cross-Platform Languages to Hit macOS Targets
Mac Malware Threat: Hackers Seek Cryptocurrency Holders
Image: Shutterstock

Cryptocurrency-seeking hackers are increasingly targeting macOS users.

See Also: 5 Requirements to Stay Afloat in the SIEM Storm

So warns a new report from endpoints detection and response vendor Trellix, which says that over the past 10 months, "in response to the growing number of attacks" against Mac users, the company has "increased detection content" tied to macOS-targeting threats by nearly 60%.

This includes detections not only for malware attacks, but also specific phishing campaigns that may precede them, followed by tool ingress and use of AppleScript, file and directory discovery efforts and data exfiltration, among other malicious types of activity.

"The sky isn't falling" has long been the malware story for Mac users, and that doesn't appear to have substantively changed, albeit with one major caveat. As with so many things involving cybersecurity, all bets are off for anything that pertains to cryptocurrency.

More specifically, today's chief crypto threat remains North Korea. The Pyongyang-based hereditary Juche absolutist monarchy has an insatiable thirst for Bitcoins, Monero and any other type of digital currency it can use to fund its lavish lifestyle, evade sanctions and churn out weapons of mass destruction.

What stopped North Korea's Lazarus Group and others from focusing their efforts on Mac users before? Previously, hackers didn't swerve from Mac attacks because the OS was necessarily any more or less secure than Windows; it was a numbers game. Per StatCounter, Windows now controls 73% of the desktop operating system market share, followed by macOS at 15%, Linux at 4% and Chrome OS at 2%.

To be clear, attackers have regularly lobbed malware at Mac, including some types of ransomware and backdoors. Even so, these often resembled miscreant science fair projects, rather than cybercrime being practiced on an industrialized scale.

Attackers got the most bang for their buck by targeting the dominant OS platform, plus Windows historically enjoyed many more corporate users than not. This has especially been true for ransomware-wielding attackers who practice big-game hunting, seeking larger enterprise targets in pursuit of ransom payments that might stretch to tens of millions of dollars. Here's looking at you, Change Healthcare and Caesars Entertainment.

Even today, the typical ransomware play involves penetrating a victim's Windows environment, seizing admin-level access to Active Directory and using that to rapidly encrypt hundreds or thousands of PCs before administrators can say "we're under attack."

But the times, they are a-changing, as macOS gains market share, not least across parts of the corporate estate that are attractive to nation-state and criminal attackers. "A sales terminal is unlikely to use macOS, whereas developers, information security specialists, (S)VPs and C-level executives are more likely to use the operating system," Trellix said.

These types of users often have the same thing in common: a high level of access and therefore privileges. "Performing fraudulent transactions, accessing confidential information or disabling the internal digital security systems gets easier" if attackers can hack into the systems already being used by relevant employees to do these tasks on a daily basis, Trellix said.

Attackers Tap Cross-Platform Languages

New types of malware targeting macOS have slowly been rising. Attacking Macs is also becoming easier, as the evolution in cross-platform languages - including Python, Golang and Rust - allows malicious developers to write malware once, and easily compile it to work across multiple operating systems, Trellix said.

The principle practitioners of this strategy remain hackers with ties to the Democratic People's Republic of Korea who appear to have doubled down on their use of such cross-platform programming languages, including Python, Golang and Rust. As a result, instead of having to spin up separate teams for targeting macOS users, the attackers can simply include their targeting in their extant efforts.

Examples of cross-platform malware attributed to North Korea have increased in recent years. This includes the cross-platform RustBucket backdoor - written in Rust - which has been attributed to DPRK's Lazarus Group, for which a macOS version was first spotted in 2023.

Other macOS-targeting malware has included DazzleSpy, which came to light in early 2022, tied to attacks likely targeting politically active and pro-democracy users of macOS and iOS devices in Hong Kong. Researchers said the cyberespionage malware could exfiltrate information from compromised systems, launch a remote screen session, load attacker-suppled files on disk, as well as record audio and keystrokes (see: New macOS Malware Planted via Pro-Democracy Hong Kong Radio).

Infostealers Heart macOS

Macs are also under increasing attack from information-stealing malware. In 2023, researchers warned that attackers had overhauled their macOS version of the venerable Xloader infostealer, which first began targeting Windows PCs in 2015. The macOS version of the malware was written "natively in the C and Objective C programming languages" and designed to steal sensitive information from Chrome and Firefox browsers, according to EDR vendor SentinelOne.

Other macOS infostealers spotted last year, SentinelOne said, included Atomic Stealer, aka Amos, and RealStealer, aka Realst, which is written in Rust and spread via fake blockchain games.

In the middle of this year, Cuckoo Stealer, which appeared to pack both infostealing and spyware capabilities, emerged after the debut of a macOS-targeting version of MetaStealer - apparently a version of the Redline infostealer, with additional capabilities. Of note, an international law enforcement operation recently infiltrated and disrupted Redline and the associated Meta infostealers, and the U.S. indicted a Russian national for being a core member of the operation (see: Russian Indicted by US for Developing Redline Infostealer).

Mac users don't just face threats from the malicious code itself, but also aligned social engineering and supply chain attacks designed to Trojanize a legitimate codebase.

One such supply-chain attack came to light last month, in the form of malware-laden Python code getting uploaded to the PyPI open-source repository. Researchers at Palo Alto's Unit 42 attributed the attack, with medium confidence, to the North Korea-linked APT group it tracks as "Gleaming Pisces." The group's previous claim to fame was distributing a version of AppleJeus malware, disguised to look like it came from a legitimate cryptocurrency trading service (see: North Korea Targets Software Supply Chain Via PyPI).

North Korean attackers have been linked to social engineering attacks in which they pretend to be job recruiters, and attempt to trick victims into installing purported software for video-calling service Microtalk, which is instead their macOS BeaverTail malware (see: Breach Roundup: North Korean Hackers Target macOS Users).

Again, Mac-targeting malware hasn't surged to Windows-targeting levels. Even so, macOS users, and especially anyone who has access to financial resources - and especially likes to buy or sell cryptocurrency - should know that compromising their system may not only be on malicious hackers' wish list, but also increasingly easy to achieve.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.