Comprehensive Analysis of Mac Malware in 2017

This threat brief summarizes Mac malware that emerged in 2017, based on a compilation by Objective-See. The analysis covers infection vectors, persistence mechanisms, features, and goals of various malware families, providing insights into the macOS threat landscape. Specific malware discussed includes FruitFly (discovered in January 2017), a backdoor designed to spy on users; MacDownloader (iKitten) (February 2017), an Iranian exfiltration agent; and others like Proton, XAgent, FileCoder, Dok, Snake, MacSpy, MacRansom, Pwnet, and CpuMeaner. The report aims to provide a comprehensive overview for defenders, facilitating detection and remediation efforts. The initial discovery of FruitFly received significant media attention due to its longevity and invasive capabilities. MacDownloader has been linked to Iranian offensive cyber operations targeting the defense industrial base and human rights advocates.

Attack Chain

1. Initial Infection (MacDownloader): A phishing email directs the user to a fake Adobe Flash Player download site.
2. Execution: The user downloads and executes the fake Flash Player installer (addone flashplayer.app). Gatekeeper may block execution unless disabled or explicitly allowed.
3. Persistence (FruitFly): The malware creates a launch agent (plist file) in the ~/Library/LaunchAgents/ directory (e.g., com.client.client.plist for FruitFly variant ‘A’).
4. Persistence (MacDownloader): Attempts to modify /etc/rc.common to execute /etc/.checkdev on startup, but this functionality may be incomplete.
5. Data Collection (MacDownloader): The malware harvests information on the infected system, including active Keychains, running processes, installed applications, and potentially usernames and passwords via fake System Preferences dialog.
6. Command and Control (FruitFly): The malware connects to a command and control (C2) server.
7. Data Exfiltration (MacDownloader): Stolen data, including keychain contents and system information, are exfiltrated to the C2 server.
8. Remote Access (FruitFly): The attacker gains remote access to the file system, can execute system commands, and access the webcam. They can also generate screen captures and simulate mouse/keyboard events.

Impact

The malware detailed in this report can lead to significant compromise of macOS systems. FruitFly allows attackers to spy on users via their webcams, access files, and control the system remotely. MacDownloader (iKitten) targets sensitive data, including keychain credentials, potentially enabling attackers to access protected accounts and services. Successful infections can result in data theft, espionage, and loss of control over the compromised system. Although specific victim counts are not provided, the malware targeted a wide range of users and organizations.

Recommendation

• Monitor for the creation of launch agents in the ~/Library/LaunchAgents/ directory, especially those with suspicious names and associated executables, to detect persistence mechanisms used by malware like FruitFly. Deploy a tool like KnockKnock to aid in detection (Attack Chain - Step 3).
• Implement detections for attempts to modify the /etc/rc.common file, which MacDownloader attempts to use for persistence, although the functionality may be incomplete (Attack Chain - Step 4).
• Deploy the Sigma rule to detect execution of unsigned applications, which is a common characteristic of malware like MacDownloader that relies on tricking users into bypassing Gatekeeper (Attack Chain - Step 2).
• Enable network monitoring to identify connections to command and control servers used by malware such as FruitFly (Attack Chain - Step 6).
• Monitor process execution for connections to external IP addresses (Attack Chain - Step 6).
• Educate users about the risks of phishing emails and the importance of verifying the authenticity of software downloads to prevent initial infection from malware like MacDownloader (Attack Chain - Step 1).