New Mac ransomware, backdoor threats emerge

Despite the macOS-based malware being paraded around the internet, researchers are finding it hard to score samples.
Written by Charlie Osborne, Contributing Writer

Malware comes in many forms and guises. Whether financial banking Trojans, worms, viruses, ransomware, or spyware, such malicious code is often a threat to consumers and businesses alike.

Cyberattackers and developers of malware will generally focus on the most lucrative operating systems when it comes to the creation of new malware families and strains. As such, mobile malware has yet to really take off, while Microsoft's Windows platform, due to its popularity and user base in the millions, remains a top target for attackers who tailor their malware to suit these purposes.

The complexity of developing malware for different operating systems is also a reason that Apple's macOS has seen little in the way of threats in comparison to the Windows platform.

Exploit sellers and zero-day traders such as Zimperium may be willing to pay hundreds of thousands of dollars for exploits relating to Apple's Mac and iOS platforms, but your average developer does not tend to focus on these operating systems.

That's why, when new macOS-based malware families appear in the wild, this is an unusual event.

As documented by antivirus software provider Malwarebytes, this February happened to highlight two such occasions.

One of only two kinds of ransomware that targets Mac systems was first discovered last year. Dubbed KeRanger, the malware is signed with a valid Mac application development certificate to bypass security barriers and launches an executable file three days after infection to encrypt user files before demanding $400 in bitcoin.

Now, a third kind of ransomware has been spotted. Palo Alto Networks calls the malware XAgent, and the malware is believed to be linked to the Komplex backdoor which also focuses on the Apple platform.

Komplex has been tied in the past to a Russian cyberattack group.

XAgent is another backdoor which comes equipped with powerful remote access features, keylogging, screenshot grabs, remote shell access, and file theft.

The security researchers note that one particularly interesting capability is the option to provide controllers with information relating to backup files stored on infected Macs.

"iPhones (and other iOS devices) are notoriously difficult to hack, but by targeting backups instead, this malware could access potentially sensitive iPhone data," Malwarebytes says.

It has also been suggested that XAgent code may have been built using code stolen from Italian cyberattack tool provider Hacking Team.

Luckily for Mac users, it seems the malware's command and control (C&C) server is currently offline, and Apple has now protected machines against the malware through built-in XProtect software.

However, another interesting variant of Mac malware has also been discovered in the wild -- and no samples are yet available. In the same update to XProtect which protected against XAgent, Apple quietly included protection for what the iPad and iPhone maker called OSX.Proton.A.

A page on Sixgill provided one of few tracks for researchers to follow to discover more. It appears that OSX.Proton. A is a remote access tool (RAT) otherwise known as Proton, which is currently being sold on a Russian cybercrime forum.

A video posted to YouTube appears to show how Proton can be used to infect a Mac machine, execute remote code, upload files, and spy on victims connected to the C&C server.

"Unfortunately, thus far, no samples of the malware have been found," Malwarebytes says. "It does not appear to be in the VirusTotal database, and neither of the sites that appear to be associated with Proton are responding."

"Even Sixgill's analysis seemed to be done entirely from online sources, and had no information to suggest that they had seen a copy of the malware," the researchers added. "For now, this is a completely unknown threat with rather frightening apparent capabilities."

In related news, Google announced improvements to the Safe Browsing program to give macOS users a more secure browsing experience. Google says that when Chrome is used to browse the web on Mac devices, Safe Browsing is now looking for more potential threats such as web injections and phishing websites. As a result, macOS users may see more warnings than before.

The 10 step guide to using Tor to protect your privacy

Ransomware is getting worse: It'll now hold your system hostage:

Editorial standards