New families of viruses for MacOS that appeared in 2021

Unfortunately for Apple lovers, the days when viruses “started up” only under Windows are gone. Although malware for macOS and iOS is indeed many times smaller than for Windows and Android, statistics show that this is not for long. Hackers do not sit idle – in his sixth annual roundup, cybersecurity researcher Patrick Wardle presented 8 malware families at once that can infect computers running macOS.

ElectroRAT
ElectroRat – RAT (Remote Access Trojan – Remote Access Trojan) for stealing crypto wallets. There are executable files that run ElectroRat on all major systems: Windows, Linux and MacOS. The malware enters the computer through Trojan applications designed to work with cryptocurrency: Jamm, eTrade and DaoPoker. The first two were supposedly meant to manage cryptocurrency trading, while the last one was a poker game with cryptocurrency bets. There may be other applications that install ElectroRat on the victim computer.

The attackers created websites and social media pages for each of the applications and actively promoted them on the Internet and the Dark Web. Links to applications have repeatedly appeared on cryptocurrency forums, attackers have bought ads on Twitter, Telegram and other social networks.

Once downloaded, the application injected malware written in the cross-platform Go language (Golang) into the system. In addition to stealing crypto wallets, ElectroRat is able to steal other accounts and passwords using keylogging (recording all keystrokes on the keyboard), take screenshots, download and run other programs from the server of attackers.

Since ElectroRat is distributed through “mother” applications, to protect against it, programs from unverified publishers, especially those related to cryptocurrency, should be avoided in the first place.

1Z0-1032-21
1Z0-998-21
1Z0-1049-21
1Z0-1043-21
1Z0-1034-21
1Z0-1041-21
5V0-22.21
3V0-21.21
1Z0-1050-21
2V0-51.21
1Z0-1085-21
1Z0-1083-21
1Z0-1080-21
1Z0-1079-21
1Z0-1077-21

Antivirus Kaspersky Internet Security Multi-Device
1 199 *
The firewall will not protect against malicious activity, since the user himself creates rules that allow him to access the attackers’ servers, as required by the “parent” application. To detect malware, you can use the free VirusTotal service – it detects ElectroRat on most infected files. Another similar service, Intezer Analyze , guarantees 100% malware detection.

Silver Sparrow
SilverSparrow is a potentially dangerous malware discovered in 2021 on 40,000 machines running macOS. Despite this distribution, little is known about him, since he does not yet conduct any dangerous activities. SilverSparrow, during installation, passes the URL from which the installation package was downloaded to the remote server, and once an hour it synchronizes with some remote servers. We also managed to establish that SilverSparrow contains a self-destruct mechanism and is able to completely remove itself and all traces of its stay on command from the server, which is not typical for malware.

The binary file of the malware, when launched, displays a window with the message “Hello World!” in the x86_84 version and “You did it!” in the version for the M1 processor.

No other activity was found behind the malware, but that doesn’t mean it’s safe. It is possible that SilverSparrow is simply “waiting” for a command from the server to start destructive activity, and the result can be anything.

The way the malware was distributed remained unidentified. It is known that it uses the macOS installer to infect, but how and from where the package being installed gets to the computer’s disk is not clear. Most likely, SilverSparrow penetrates under the guise of applications from third-party sites. To protect yourself from malware, you should adhere to standard security requirements: use a firewall, do not trust applications from unverified publishers, do not open email attachments if you are not completely sure of them, etc. You can use MalwareBytes antivirus to remove the malware .

xcodespy
XcodeSpy is a dangerous malware that spreads through legitimate Xcode projects. Xcode is a development environment (IDE) for macOS and iOS platforms, respectively, XcodeSpy is dangerous, first of all, for developers. Malicious code was found in the TabBarInteraction Xcode project. When using a project, the script installs an autostart service in the system to “decouple” from the parent project. The malware is able to record and send audio and video from the victim’s device to a remote server, record keystrokes, and upload and download files.

According to antivirus company SentinelOne , XcodeSpy was created with a specific purpose against a specific development company (or group of companies) – most likely Asian. It is not known whether the attackers achieved their goals or not, but, according to SentinelOne experts, support for the malware has been stopped at the moment. But it is still dangerous, as it introduces a vulnerability into the system that an attacker can use at any time – even if your computer was not his original target.

Antivirus ESET NOD32 Internet Security
3 999 *
To protect against XcodeSpy, you should be wary of unverified Xcode projects and use a firewall to prevent “unauthorized” connections to unknown servers. Infected Xcode projects can be detected using the command proposed by SentinelOne analysts:

find . -name “project.pbxproj” -print0 | xargs -0 awk ‘/shellScript/ && /eval/{print “\033[37m” $0 “\033[31m” FILENAME}’ »

Electrum Stealer
ElectrumStealer is a Trojan designed to steal Electrum crypto wallets. The malware is distributed using messages masquerading as a request to update the wallet to a new version.

The message is sent to users of the Electrum wallet. When going from a message allegedly to www.electrumofficial.com, the request is redirected to the site of the attackers, from which the Trojan version of the crypto wallet is downloaded. The application was signed by the developer Viktoriia Abaeva (QVU8CNY775), currently the identifier has been withdrawn by Apple.

When launching an “updated” version of the crypto wallet, the Trojan transfers data and passwords to the attackers’ server.

To protect yourself from malware, you should not click on links in messages or install updates from any sites other than trusted official ones. Malware can be removed using MalwareBytes antivirus .

wild pressure
WildPressure is the collective name for a set of tools for penetrating computers running both Windows and macOS, used by the hacker group of the same name.

Specifically, a script written in Python is used to infect macOS machines. When run on a computer, the script sends data about the victim to a remote server, then installs an autostart service, giving attackers access to the infected computer. The service can upload files and execute remote operator commands.

There is no single way to distribute the script at the moment. Attackers from WildPressure allegedly use the Trojan in targeted attacks on selected companies, spreading it by all available methods, including both attacks on company computers using known vulnerabilities and social engineering.

Antivirus ESET NOD32 Internet Security Platinum Edition
2799 *
To detect an infiltrated Trojan, you can use the virustotal service – it detects several dozen suspicious PyInstaller signatures typical of a Trojan. However, it should be understood that attackers can modify the Trojan code for each specific attack. Therefore, standard cybersecurity rules should be followed to protect against WildPressure attacks.

XLoader
XLoader is another cross-platform (there are versions for Windows and macOS) malware application that allows almost anyone to create their own botnet. On the dark web forums, you can buy an XLoader subscription for as little as $49.

XLoader gives the owner of the botnet full access to the infected computer: it allows downloading and executing files, performing keylogging and stealing passwords, and so on.

One way the Trojan is distributed is through an infected document or an executable email attachment. A Trojan can infiltrate a computer either as a binary file or as a compiled Java file with the jar extension. And if the latter requires a Java runtime environment, which is not available on all macOS computers, then the binary file has no such restrictions.

Once launched, the Trojan turns on a custom LaunchAgent, an autorun service, to keep the malware running.

To protect against XLoader, you must follow the rules of information security. A properly configured firewall is also able to detect infection by trying to communicate “incomprehensible” applications with third-party servers. The Trojan can be detected and removed by the MalwareBytes and SentinelOne antivirus packages .

ZuRu
ZuRu is another Trojan for macOS that collects confidential information (including information about logins/passwords) from the infected computer and sends it to the attacker’s server.

Antivirus Kaspersky Internet Security Multi-Device
1 299 *
To infect a computer, ZuRu uses fake applications that masquerade as legitimate macOS software. Links to such applications are provided to users using SEP (Search Engine Poisoning – Poisoning Search Engines) – a hacker method in which a link to a malicious application gets into the search engine results along with links to official sites.

At the same time, the fake site completely copies the design and content of the original site, dulling the user’s vigilance and offering him to download malicious code. There have been cases of ZuRu infection when trying to install Trojan versions of applications such as iTerm, Microsoft Remote Desktop, Navicat, SecureCRT, SnailSVN. The identity used to sign the fake apps was Jun Bi (AQPZ6F3ASY), which has now been withdrawn.

To protect against ZuRu, you should follow standard information security rules. In addition, when going to official sites, you should carefully check the browser line. Attackers try to pick up a domain name as close as possible to the imitated one, but upon closer examination, you can notice the difference.

You can use Intego and MalwareBytes antiviruses to detect and remove ZuRu .

CDDS (MacMa).
MacMa is an original Trojan that uses a chain of iOS and macOS vulnerabilities to infiltrate computers. While the exploited vulnerabilities have now been patched, they may not have been the only way the Trojan was distributed. For example, an older version of the Trojan was discovered that uses a fake Flash Player installer to inject onto a computer.

When infiltrating a device, MacMa attempts to gain access to the microphone and camera.

The Trojan provides a rich set of options to a remote attacker:

keylogging to steal logins/passwords;
recording video and audio from the camera and microphone;
creating screenshots;
downloading files from the server and executing them.
To protect against malware, you should update the software to the latest versions and adhere to information security rules.

What is the result
Most malware cannot run on a computer without user assistance. Therefore, it is extremely important to maintain a high level of information literacy of all those working at the computer. You should be aware of social engineering methods and how malware can penetrate computers. Keep track of the release of software updates, timely updating to the latest versions to eliminate vulnerabilities. Use proven security programs and firewalls .