Sophisticated Mac OS Malware Uses Trust and Developer Certificates

How it works: Attackers compromise a vendor’s website, then replace legitimate apps with those carrying data-stealing malware.

Mac OS banner

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

If the ransomware incident involving the tampered Transmission app in late 2016 started something, it’s that threat actors are now getting interested in compromising Mac OS users.

Recent events involving the Proton remote access Trojan (RAT distributed through the popular Elmedia media player software) show cybercriminals are actively targeting highly popular applications – an app with more than 1 million downloads in this case – to maximize their chances of infection.

There’s no reason to assume Mac malware will fade away. If anything, we’ve learned that attackers are active in their use of popular applications to smuggle data-stealing malware. Supply chain attacks that involve compromising the app vendor’s website and replacing the legitimate app with a tampered one are now a fact, as compromising websites is usually just a matter of persistence. Finding and exploiting vulnerabilities in webpages to allow unauthorized access can be more effective than finding a zero-day vulnerability in Mac OS.

A Brief History Lesson

Ransomware has been incredibly popular on Windows-running systems, as cybercriminals figured there’s a lot of money to be made by holding user data for ransom. And they were right. It’s estimated that ransomware alone generated more than $1 billion for malware developers in 2016, and an even higher figure is expected in 2017.

If Mac OS remained somewhat unaffected, the Transmission incident was an eye opener: it revealed that, with determination, ransomware can also start ransacking Macs. By signing the malicious app with a valid – but stolen –  developer certificate, it practically enabled cybercriminals to dodge Mac OS’s built-in security screening and get the app to install without any alarm bells going off. The security industry commonly refers to this type of attack as a “supply chain attack,” as it involves compromising users en masse by tampering the tools they use.

Plus, since the compromised website is legitimate, attackers don’t even have to invest time and effort in creating accurate replicas or finding typo-squatted domains. With most websites running a lot of code that’s integrated from third parties, it’s somewhat easier for cybercriminals to dig for vulnerabilities.

The Recent Proton RAT on Mac OS

What’s interesting is that this is not the first occurrence of the Proton RAT on Mac OS. HandBrake, an open source video transcoder, was repackaged with the Trojan earlier this year. This supply chain attack caused users to download a tampered file.

The Proton RAT is highly versatile, as it not only supports Apple developer certificates that let it dodge Mac OS’s Gatekeeper, but it also has full surveillance and control features that enable it to capture keystrokes, take screenshots, upload sensitive files to a designated command and control server, and pretty much everything in between.

Users who unknowingly downloaded the infected Elmedia Player would have had their keychain data, browser history, browser cookies, SSH private data, 1Password data, cryptocurrency wallets, and more stolen and uploaded to an attacker-controlled C&C.

Unfortunately, if someone downloaded the tampered Elmedia Player on October 19 or October 20, they need to immediately get the malware off the system by doing a full OS reinstall, then change all the passwords to all their accounts. It also wouldn’t hurt to closely watch all credit card activities or even get new cards issued, as it’s likely they have been compromised during the time of the infection.

Staying safe from the Mac OS malware outburst has become a lot more difficult nowadays, especially since malware is often wrapped as legitimate apps. Installing a Mac OS security solution that can identify and closely monitor installed apps is no longer optional, but mandatory.