Macs are the go-to device for professionals and high-level officials the world over. Beautifully designed, extremely optimized for performance, and tagged with a price that reflects a premium product, Macs are more than a tool – they are a statement. In keeping with this reputation, you would not expect malware designed for Macs to be the run-of-the-mill, easy-to-block creations we see on other platforms. Advanced Mac threats cost a fortune to develop— but when they hit the designated target, it’s jackpot for the cyber-criminals.
Malware has been around since the early days of computers and, regardless of operating systems, has always managed to creep in. However, the Internet and digitalization have brought forward not just the proliferation of threats, but also a staggering increase in complexity. Today, malware is a tool for industrial espionage, cyberwarfare, and even state-sponsored cyberattacks.
Until recently, Windows usually took the brunt of commercial and advanced malware, and Apple’s Mac OS was largely ignored by threat actors. One reason for that had to do with its adoption and integration in business environments: malware development was too costly in terms of allocated resources and actual return on investment.
Commonly referred to as advanced persistent threats, sophisticated malware is not just designed to evade traditional security tools, but also remain hidden within an organization for as long as possible. Consequently, attackers could either maintain a foothold for years or even completely cripple the organization, depending on their motives.
One of these pieces of advanced malware was discovered earlier this year and was linked to a group of attackers known as Sofacy Group or Fancy Bear, a Russian threat actor that became widely known after the cyberattacks on the German parliament, French television station TV5Monde, and the White House.
This malware’s striking characteristic was its ability to infect Windows, Linux, and Mac OS running devices, dropping a payload specifically designed for each operating system.
What Makes Mac OS component of APT28 so Special?
Besides select victim targeting, the APT28 virus can selectively download components for each victim, including those running Mac OS. The XAgent modular backdoor delivered via the Komplex downloader can install various espionage modules, ranging from key-logging to screen grabbing and file exfiltration.
Since the Apple ecosystem involves tight integration between Mac OS and iOS, the backdoor was also designed to steal iOS backups from infected Mac systems. Since these backups usually contain messages, contacts, voicemail, call history, notes, calendar, and Safari data, threat actors also gain access to data stored on iPhones.
Encryption and encoding are two key features whenever data exfiltration and espionage are involved, and this Mac OS Trojan had them in force. Attackers could communicate with attacker-controlled command and control (C&C) servers without raising suspicion, in turn allowing them to offload data and even remotely issue commands to infected victims.
The obvious sophistication of the Trojan has led researchers to conclude that its originators had access to an ample R&D team, as well as a huge budget to conduct the development. This type of investment to create a threat to systems running Mac OS can only be justified if the threat actors are targeting a select pool of high-level executives from specific industry verticals for cyberespionage.
The natural question that follows is, who would have the interest, resources, and time to invest in developing Mac malware, especially since the platform is usually (although mistakenly) considered more secure than other more common operating systems?
Have We Seen the Last of Mac Threats?
It’s likely Mac threats will continue. Macs have been targeted for a while by sophisticated threats and, if we go back to 2013, the KitM Trojan was used to spy on the online whereabouts of a human rights activist in Angola. This is proof enough that Macs have been (and will continue to be) targeted by advanced threats, regardless of whether developed by lone cybercriminals or nation-sponsored threat actors.