« Back to Blog

Threat Spotlight: Mac Malware

By Cylance Threat Guidance Team

Introduction

Lately, there has been a resurgence of the old misinformation of not needing to worry about malware because “I run a Mac” or an iPad. Others in the industry, myself included, have long known about the dangers of assuming Mac OS attacks are rare. In fact, the threat today has only increased. Even though the number of threats to Mac products are vastly outnumbered by those aimed at Windows PCs, the effects of ransomware and other such malware can be just as devastating.

A Historical Perspective

The very first computer virus that infected personal computers was named Elk Cloner. This virus specifically targeted the Apple II platform. Created in 1982 as a prank by 15-year-old high school student Richard Skrenta, the virus infected the boot sector of the hard drive when a system booted from an infected floppy disk. When the WildList was established in 1993, soon after, a second ‘Mac WildList’ was also founded and maintained by David Harley. More of his work on this subject can be located on the Anti-Virus Information Exchange Network blog. The fact is that all operating systems (OSs) have had malware written targeting them, or leveraging them, including the venerable CP/M.

Some of the malware that affected Macs in the early days included threats like AutoStart and Seven Dust in 1996, Hypercard infections in 1988, and Renepro and Amphimix in 2004. Not specifically targeting but still able to infect the Mac platform were the Office macro viruses of the middle to late ‘90s. Unfortunately, we are now seeing a resurgence of these Office malware samples in the last couple of years.

The first malware specifically written for Mac OS X was Leap, discovered in 2006. Macs were never a major target for the early malware authors. This is primarily due to the lack of scaled adoption of the platform at the time, early after Macs were released to consumers and enterprises. Since there were fewer hosts to target, the malware had a lower chance of replication and moving into a ‘wild status’ than its Microsoft OS brethren. 

Even when malware became a business model for some organizations and authors, the return on investment concerning development and infection greatly favored the PC platform. As usual, it comes down to attackers going after the easiest targets for the least amount of work - the low hanging fruit. This isn’t likely to change. Even with the recent proliferation of Apple mobile devices (iPhones, iPads, etc.), the market share that OS X occupies will dictate how big a target the malware authors consider it. OS X is just a fraction of overall market share, barely visible in the larger graph and has not exceeded 5%, according to research by ComputerBase.de.

MacMalware_1b

Figure 1. Development of Desktop OS Market Shares at German Website ComputerBase Since 2002.
Image Credit: By StefanPohl - Workdata From ComputerBase, CC0.
(Source: Wikipedia)

The Operating System and Threats Evolve

When Apple moved from its classic OS to OS X in 2001, it was based on a variation of FreeBSD. This is both boon and bane since this OS is close to the Linux flavors, which means it allows for easier porting of existing applications, both beneficial and malicious. In early 2016, Betanews published an article proclaiming that 2016 was going to be the year of malware targeting Macs and OS X. The article attempts to support its claim by quoting multiple reports issued by reputable computer security vendors, including this quote: “Symantec reports that there were more than nine times as many OS X malware infections in 2015 compared to 2014.”

However, as noted by Symantec, a nine-fold increase is easy to accomplish when there are already so few existing malicious samples. And even with that increase, you’re much more likely to encounter a piece of malware targeting another environment. Cross-platform infections such as threats exploiting Microsoft Office and Adobe Reader are equally effective at infecting OS X as they are Windows. The problem is such that even MacWorld has a FAQ asking, “Do Macs get viruses?”

OS X malware seems to be easily dismissed because of its rarity and consequently discounted as a lesser threat than botnets, information stealers, and ransomware targeting Windows and Android mobile devices. While this may be a point that is used to avoid deploying protection for Macs in the business environment, it is also a false assumption.

Case Study: OS X Ransomware

I would like to look at a specific threat we explored just this last week. While it’s not the first ransomware that functions on OS X (that distinction goes to KeRanger, discovered in February 2016), it’s not a backdoor like Elanor (discovered in the summer of 2016). This is a ransomware sample that is part of the FileCoder family. This malware is written in Swift, and pretends to be a patch for Microsoft Office or Adobe. The infected files may be delivered by Torrent or email attachment. Once executed, the following message appears:

MacMalware_2

Figure 2: Ransomware Note Displayed By Infected Computer­

Now, the concerning thing about this specific malware: we watched as the malware would query for a specific proxy, which was non-responsive. Due to the way it was implemented, even if you pay up, there is no way for the authors to decrypt this file. This is due to the author never receiving your encryption key, and it not being stored locally. In all cases we investigated in the lab, there was no decryption key we could extract to reverse the encryption.

So, as you can see, malware targeting OS X is every bit as malicious as the malware targeting other platforms. We can only expect to see more malware targeting the platform, as things are ported from other *nix families. As well as OSs becoming less relevant as applications become cloud- or web-based, we expect that cross-platform threats will be much more prevalent in future. 

As security professionals, responsible for the hygiene of the networks and hosts we administer, we cannot discount threats based on OS. We must treat all OSs in the same manner and apply best computing practices or we will be cleaning up the mess after those OSs are attacked.

Conclusion

While claims such as “Apple devices are safe from PC infections” are technically true, these are disingenuous and intentionally misleading. The sky is not falling, and the internet is not ending, but Apple devices are computers and all computers always will have malware that targets them. Ignoring threats based on the false belief that one operating system is ‘safer’ than another is a risky game to play. Make sure to deploy endpoint security protections to all devices on your network to avoid falling victim to Mac malware.

If you use our endpoint protection product, CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI based solution can predict and prevent unknown and emerging threats.

Tags: