Full Report
Learn about the key macOS malware families from 2024, including tactics, IoCs, opportunities for detection, and links to further reading.
Analysis Summary
# Tool/Technique: Amos Family of InfoStealers
## Overview
A family of malware variants primarily focused on stealing plain text user login credentials on macOS systems to unlock the local Keychain and access stored passwords and credentials.
## Technical Details
- Type: Malware family (InfoStealer)
- Platform: macOS
- Capabilities: Credential theft, specifically targeting plain text login credentials to decrypt the Keychain.
- First Seen: Not explicitly stated, but active and rising in 2024.
## MITRE ATT&CK Mapping
*Note: Precise ATT&CK mapping requires specific observed behaviors, but based on description, likely includes:*
- [TA0009 - Collection]
- [T1552 - Credentials from Password Stores]
## Functionality
### Core Capabilities
- Grabbing user login credentials in plain text.
- Using the acquired credentials to unlock the Keychain.
- Stealing passwords and other credentials stored within the Keychain.
### Advanced Features
- Targeted credential access via exploiting the Keychain mechanism.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Not provided in the source text]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [Not provided in the source text]
- Behavioral Indicators: [Attempting to dump plain text credentials; interacting with the Keychain]
## Associated Threat Actors
- [Not explicitly attributed in the source text, general threat actors targeting macOS]
## Detection Methods
- [Signature-based detection]: Signatures for known file hashes or strings associated with the stealer payloads.
- [Behavioral detection]: Monitoring for processes attempting to access or export data from the macOS Keychain without expected user interaction.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Avoiding side-loaded or untrusted applications claiming to be productivity or business software.
- [Hardening recommendations]: Enforcing strong password hygiene and enabling Multi-Factor Authentication (MFA) everywhere possible, especially for privileged accounts.
## Related Tools/Techniques
- CloudChat Infostealer
- Other InfoStealers active on macOS in 2024.
---
# Tool/Technique: Backdoor Activator
## Overview
A malware strain first identified in January 2024, spread through cracked versions of popular business and productivity applications targeting macOS users.
## Technical Details
- Type: Malware (Backdoor)
- Platform: macOS (implied, as it is part of a broader macOS campaign summary)
- Capabilities: Establishing persistence or remote access via infection through software piracy vectors.
- First Seen: January 2024
## MITRE ATT&CK Mapping
*Note: As a backdoor, common mappings include:*
- [TA0011 - Command and Control]
- [T1105 - Ingress Tool Transfer]
- [TA0003 - Persistence]
## Functionality
### Core Capabilities
- Infection via cracked software distribution.
- Establishing backdoor functionality on the compromised host.
### Advanced Features
- Unknown, likely designed for broad access given the infection vector choice.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Payloads embedded within popular application installers]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [C2 communication infrastructure, if established]
- Behavioral Indicators: [Unexpected network connections originating from cracked applications]
## Associated Threat Actors
- [Not explicitly attributed in the source text, general threat actors targeting macOS]
## Detection Methods
- [Signature-based detection]: Signatures for specific payloads distributed via cracked apps.
- [Behavioral detection]: Detecting suspicious network connections originating from cracked/pirated software execution.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Strictly prohibit the installation and use of pirated, cracked, or unauthorized software.
- [Hardening recommendations]: Application whitelisting to prevent execution of unauthorized binaries.
## Related Tools/Techniques
- Software Piracy infection vectors.
---
# Tool/Technique: LightSpy (macOS Variant)
## Overview
An established piece of malware previously focused on Chinese-speaking mobile users, which in 2024 saw the introduction of a macOS version equipped with platform-specific plugins for surveillance and control.
## Technical Details
- Type: Malware family (Surveillance/Control)
- Platform: macOS (newly discovered variant), previously mobile platforms.
- Capabilities: Comprehensive surveillance and remote control operations tailored for macOS.
- First Seen: LightSpy lineage dates back to at least 2019; macOS variant observed in 2024.
## MITRE ATT&CK Mapping
*As a surveillance tool:*
- [TA0003 - Persistence]
- [TA0005 - Defense Evasion]
- [TA0006 - Credential Access]
- [T1003 - OS Credential Dumping]
## Functionality
### Core Capabilities
- Executing general reconnaissance and surveillance tasks.
- Utilizing macOS-specific plugins for enhanced capability.
### Advanced Features
- Suite of surveillance and control tasks enabled by specialized plugins.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Not provided in the source text]
- Registry Keys: [Not applicable/Not provided (macOS uses Plists)]
- Network Indicators: [C2 channels used by LightSpy operators]
- Behavioral Indicators: [Excessive file system access, unusual resource utilization indicative of monitoring]
## Associated Threat Actors
- [Not explicitly attributed in the source text, historical variants linked to Chinese operations]
## Detection Methods
- [Signature-based detection]: Signatures for known LightSpy binary components.
- [Behavioral detection]: Detection of plugins loading or execution patterns matching known surveillance tools.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Maintaining strict control over installed applications, especially third-party software.
- [Hardening recommendations]: Limiting application permissions and ensuring operating system integrity.
## Related Tools/Techniques
- Other surveillance and monitoring malware targeting macOS.
---
# Tool/Technique: BeaverTail
## Overview
A cross-platform malware attributed to North Korean state-sponsored groups, primarily used in social engineering campaigns where threat actors impersonate recruiters on professional platforms to deliver the malware.
## Technical Details
- Type: Malware (Cross-Platform)
- Platform: macOS and Windows
- Capabilities: Delivering an initial stage payload via spear-phishing/social engineering pretext (job offers).
- First Seen: Not specified, active in 2024 campaigns.
## MITRE ATT&CK Mapping
*Focus on initial access and delivery:*
- [TA0001 - Initial Access]
- [T1566 - Phishing]
- [T1566.001 - Spearphishing Attachment] (likely, if files accompany job offers)
- [TA0002 - Execution]
## Functionality
### Core Capabilities
- Cross-platform execution on both Windows and macOS.
- Delivered through deceptive social engineering lures (fake job opportunities).
### Advanced Features
- Use of specific social platforms (LinkedIn, X, Freelancer) for targeted lure delivery.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Payload filenames related to job applications/documents]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [C2 infrastructure associated with North Korean APTs]
- Behavioral Indicators: [Execution of novel binaries following interaction with job-related lures]
## Associated Threat Actors
- North Korean state-sponsored groups.
## Detection Methods
- [Signature-based detection]: Signatures for BeaverTail cross-platform binaries.
- [Behavioral detection]: Flagging emails/messages containing job lures from unknown senders utilizing specified platforms, followed by file execution.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Strict vetting of unsolicited job offers received via social media or email; never opening attachments from unfamiliar sources offering employment.
- [Hardening recommendations]: Implementing network-based filtering for known malicious domains associated with actor infrastructure.
## Related Tools/Techniques
- Social engineering delivery methods.
---
# Tool/Technique: ToDoSwift & Hidden Risk
## Overview
Two related campaigns attributed to the BlueNoroff APT group, specifically targeting organizations and individuals involved in cryptocurrency trading and Decentralized Finance (DeFi) to steal digital assets.
## Technical Details
- Type: Malware Campaigns (InfoStealers / Financial Theft)
- Platform: Not strictly defined, but targeting crypto ecosystems implies access across various systems.
- Capabilities: Targeting and stealing cryptocurrency assets.
- First Seen: Active during 2024 campaigns.
## MITRE ATT&CK Mapping
*Focus on financial theft:*
- [TA0010 - Exfiltration]
- [T1041 - Exfiltration Over C2 Channel]
- [TA0006 - Credential Access]
- [T1552 - Credentials From Password Stores] (potentially stealing wallet seeds/keys)
## Functionality
### Core Capabilities
- Compromising entities involved in cryptocurrency trading/DeFi.
- Stealing digital currency assets.
### Advanced Features
- Coordinated activity across related campaigns (ToDoSwift and Hidden Risk).
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Not provided in the source text]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [C2 communications linked to BlueNoroff]
- Behavioral Indicators: [Unusual file system access patterns related to wallet files or trading platforms]
## Associated Threat Actors
- BlueNoroff APT (North Korean-aligned).
## Detection Methods
- [Signature-based detection]: Signatures associated with ToDoSwift/Hidden Risk executables.
- [Behavioral detection]: Monitoring network traffic for connections to known BlueNoroff infrastructure or unusual attempts to transfer large amounts of crypto.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Implementing hardware keys for crypto transactions; isolating sensitive crypto-related activity to secured environments.
- [Hardening recommendations]: Strong application control on systems handling private keys or large crypto holdings.
## Related Tools/Techniques
- Financial malware targeting DeFi.
---
# Tool/Technique: HZ RAT (macOS Variant)
## Overview
A macOS version of the known Windows backdoor HZ RAT, distributed via a trojanized OpenVPN Connect installer. Its primary goal on macOS is to steal data from user installations of DingTalk and WeChat.
## Technical Details
- Type: Malware (Backdoor/RAT)
- Platform: macOS
- Capabilities: Remote access and espionage; data theft focused on specific communication applications (DingTalk, WeChat).
- First Seen: macOS version detailed in August 2024.
## MITRE ATT&CK Mapping
*As a RAT:*
- [TA0011 - Command and Control]
- [T1071 - Application Layer Protocol]
- [TA0009 - Collection]
- [T1005 - Data from Local System] (targeting specific chat application data)
## Functionality
### Core Capabilities
- Providing remote access and control (RAT functionality).
- Exfiltrating data from DingTalk and WeChat installations.
### Advanced Features
- Distribution via a legitimate-looking installer (OpenVPN Connect trojanization).
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [The fake OpenVPN Connect installer]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [C2 traffic associated with known HZ RAT infrastructure]
- Behavioral Indicators: [Process running under the guise of OpenVPN attempting to read user profile data for WeChat/DingTalk]
## Associated Threat Actors
- [Attribution not explicitly mentioned for the macOS variant, but HZ RAT has been used by various groups.]
## Detection Methods
- [Signature-based detection]: Signatures for the HZ RAT payload and the fake OpenVPN component.
- [Behavioral detection]: Detection of processes using unusual paths or permissions to read data belonging to chat applications.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Only download VPN clients (or any software) directly from official vendor websites or enterprise distribution channels.
- [Hardening recommendations]: Regularly review and revoke unnecessary permissions granted to non-essential applications.
## Related Tools/Techniques
- OpenVPN trojanization.
- Data stealers targeting communication applications.
---
# Tool/Technique: CloudChat Infostealer
## Overview
An infostealer delivered in April 2024 via a seemingly legitimate website named "CloudChat." The malicious component loads a dynamic library (`libCloudchat.dylib`) from within the application bundle's Frameworks directory upon execution.
## Technical Details
- Type: Malware (Infostealer)
- Platform: macOS
- Capabilities: Data exfiltration, executed through a bundled application loader tied to a dynamic library.
- First Seen: April 2024
## MITRE ATT&CK Mapping
- [TA0001 - Initial Access] (via malicious website)
- [TA0009 - Collection]
- [T1560 - Archive Collected Data]
- [TA0010 - Exfiltration]
## Functionality
### Core Capabilities
- Infection delivered through a dedicated malicious website.
- Core malicious logic residing in a linked dynamic library (`libCloudchat.dylib`).
### Advanced Features
- Execution chaining: The main application binary calls the dylib located within its own package structure.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [CloudChat Application, libCloudchat.dylib]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [C2 servers hosting the malicious CloudChat site and subsequent exfiltration domains]
- Behavioral Indicators: [Dynamic library loading from uncommon paths within application bundles]
## Associated Threat Actors
- [Not explicitly attributed in the source text]
## Detection Methods
- [Signature-based detection]: Signatures for the CloudChat application binary and the library hash.
- [Behavioral detection]: Monitoring for applications loading dynamic libraries from the Frameworks folder in unexpected ways.
- [YARA rules if available]: [Not available]
## Mitigation Strategies
- [Prevention measures]: Educating users on validating website URLs, especially for software downloads.
- [Hardening recommendations]: Application notarization checks and strict enforcement against unsigned code execution.
## Related Tools/Techniques
- Dynamic library hijacking/loading techniques.