OSX.Dok
According to SentinelOne, a new variant of OSX.Dok appeared in January which is actively targeting macOS users. The malware installs a hidden version of Tor and aims to compromise user traffic by redirecting activity to a hidden onion server.
CookieMiner
CookieMiner is a cryptocurrency mining malware that attacks Mac machines in the quest for cookies associated with crypto trading posts, alongside Google Chrome credentials.
The malware installs a Monero cryptocurrency miner, backdoor, and a slew of other tools to not only mine for virtual coins but also to raid victim wallets.
Lazarus
Lazarus, an APT group connected to North Korea, makes use of a macOS backdoor spread through weaponized Microsoft Word documents. The threat group has recently been spotted striking cryptocurrency exchanges and South Korean businesses in a campaign known as AppleJeus which will drop different payloads depending on whether Windows or macOS machines are in play.
Pirrit
In April, researchers spotted a new strain of macOS malware known as Pirrit. While there are related samples on VirusTotal, the new variant is not picked up by the majority of antivirus engines. Pirrit is an adware and browser hijacking form of malware.
Read more: Cybereason
OSX.Siggen
OSX.Siggen is a form of macOS malware spread through drive-by downloads. The malicious code masquerades as a WhatsApp application and creates a backdoor on infected machines, likely for the purposes of adding PCs to botnets.
OSX Loud Miner
Loud Miner is an interesting form of macOS malware which began making the rounds in June with the infection of cracked versions of popular software including Ableton Live. It is believed over 100 virtual studio apps could be harboring the malware.
Loud Miner installs Linxus emulators to mine for cryptocurrency. By infecting resource-intensive software, it is likely the developers hope mining activities are masked.
KeyStealDaemon
KeyStealDaemon is an exploit leveraging a macOS vulnerability, CVE-2019-8526, which impacts users that have not updated their software to a version beyond macOS 10.11 El Capitan. The malware can be used in privilege escalation attacks to access the macOS Keychain.
OSX/Linker
OSX/Linker is a form of malware which abuses a zero-day vulnerability in Gatekeeper. Malicious Adobe FlashPlayer installer samples were found which contained the malware and given the bug allowed Gatekeeper to be bypassed, users may find themselves mounting malicious disk images without warning.