Mac Malware of 2018 Retrospective

This report retrospectively examines Mac malware identified throughout 2018, providing a comprehensive overview of emerging threats targeting macOS systems. The analysis covers various malware specimens, detailing their infection vectors, persistence mechanisms, and intended goals. Noteworthy examples include OSX.Mami, a DNS hijacker that redirects traffic to attacker-controlled servers, and CrossRAT, a cross-platform Java-based backdoor used in cyber-espionage campaigns. The report emphasizes the evolving threat landscape for macOS and the importance of understanding malware capabilities to defend against attacks. Specifics include the distribution of CreativeUpdate via trojanized applications on MacUpdate.com and the use of Launch Daemons and Launch Agents for persistence by OSX.Mami and CrossRAT respectively. The analyzed malware spans from January 2018 (Mami) to December 2018 (DarthMiner, LamePyre).

Attack Chain

1. Initial Access (OSX.Mami): A user visits a malicious website, triggering a browser popup.
2. User Interaction (OSX.Mami): The user interacts with the popup, leading to the download of a Mach-O executable named “MaMi”.
3. Execution (OSX.Mami): The user executes the downloaded “MaMi” file.
4. Persistence (OSX.Mami): The malware installs itself as a Launch Daemon with the file path /Library/LaunchDaemons/Cyclonica.plist, referencing a malicious file in the user’s home directory.
5. Privilege Escalation (OSX.Mami): The malware installs a malicious certificate in the System Keychain.
6. DNS Hijacking (OSX.Mami): The malware modifies the /Library/Preferences/SystemConfiguration/preferences.plist file, changing the system’s DNS settings to attacker-controlled servers (82.163.143.135 and 82.163.142.137).
7. Man-in-the-Middle Attack (OSX.Mami): The attacker performs man-in-the-middle attacks, potentially spying on user activity and injecting malicious content.

Impact

The Mac malware of 2018 exhibited a range of malicious capabilities, including DNS hijacking, remote access, and data exfiltration. OSX.Mami’s DNS hijacking enabled attackers to potentially monitor user activity and inject malicious content, compromising user privacy and security. CrossRAT, a cross-platform backdoor, allowed attackers to remotely control infected systems and exfiltrate sensitive information. While specific victim counts and sectors are not detailed, the malware posed a significant threat to macOS users and organizations. Success of these attacks could lead to data breaches, financial loss, and reputational damage.

Recommendation

• Monitor network traffic for DNS queries to the known malicious DNS servers 82.163.143.135 and 82.163.142.137 associated with OSX.Mami (IOC table).
• Implement the Sigma rule to detect the creation of LaunchAgent plists containing references to java -jar execution, which is indicative of CrossRAT persistence.
• Monitor process creation events for execution of binaries from the /Library/LaunchDaemons/ directory, specifically looking for the Cyclonica.plist file (Attack Chain).