Malware

Mac malware on the rise again; several new threats found

Posted on June 24th, 2019 by

Mac malware continues to increase in both quantity and variety. In addition to Intego's discovery of new OSX/Linker and OSX/CrescentCore Mac malware, several other active malware campaigns have been observed in June 2019, everything from a bizarre cryptocurrency miner to creepy backdoors that could allow an attacker to log your keystrokes, and more. Let's take a look at some of the Mac malware we've seen in the wild in recent weeks.

Firefox zero-day leveraged to spread OSX/Netwire and OSX/Mokes

A zero-day vulnerability in Firefox (CVE-2019-11707) was leveraged by attackers to spread multiple types of Mac malware.

One of the malware families that spread through exploitation of this vulnerability was OSX/Netwire, a successor to OSX/NetWeirdRC which Intego wrote about in 2012 and 2016.  The other malware family is identified as OSX/Mokes, which Intego also wrote about in 2016. Both are "backdoor" malware, meaning that they have capabilities such as logging keystrokes and taking screenshots of an infected Mac, allowing an attacker to spy on their victims.

It's worth noting that although the rudimentary XProtect malware detection system built into macOS was theoretically capable of detecting the OSX/Netwire sample, in fact XProtect provided no protection whatsoever in this case. Malware installed via a vulnerability doesn't get tagged with a "quarantine" flag, which means it isn't on XProtect's radar, which in turn means that the built-in malware defense in macOS is essentially worthless in such circumstances.

Full technical write-ups on these backdoors can be found in a series of articles by Patrick Wardle: Burned by Fire(fox) part 1 and part 2 (about OSX/Netwire), and part 3 (about OSX/Mokes).

Mac users can protect themselves from the Firefox zero-day vulnerability by ensuring they're using the latest version of the browser. To check for updates, click on the Firefox menu (next to the Apple logo menu in the top-left corner of the screen) and select About Firefox.

LoudMiner aka Bird Miner found in "cracked" VST installers

Two research teams independently discovered a strange cryptocurrency miner that was being distributed in pirated ("cracked") copies of VST audio software, which appear to have been distributed through a blog site for several months—perhaps as early as August or September 2018 based on Intego's research.

The pirated software comes with a parasite: cryptocurrency mining software that attempts to use your Mac's processing power to make money for the digital pirates.

What's particularly bizarre about this unwanted miner is that, rather than the mining software app running as a simple background process, the miner runs within an entire Linux operating system inside of a Qemu virtual machine. In other words, while you're running macOS, another operating system boots up inside of macOS and starts running cryptomining software. It's unclear whether the pirates were just lazy and trying to come up with a cross-platform solution that took little effort, or whether they were trying to use this technique to hide from antivirus software that might detect the miner if it were running natively on the infected computer.

Full technical write-ups about this malware campaign were written by Michal Malik and Thomas Reed.

OSX/NewTab

Intego has also added detection for OSX/NewTab, malware that attempts to inject tabs into the Safari browser. The oldest known samples date back to April 21. Some of the file names are clear indicators of deception, including Government Forms Online Installer.app.zip and Quick N Easy Recipes Installer.app.zip. All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE). (A VirusTotal account is required to access these links.)

Notably, none of the approximately 60 antivirus engines on VirusTotal is currently detecting this malware. Intego seems to be the first to add detection for this malware.

Related: Intego discovered two other new Mac malware varieties and published about them this week:

OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass

OSX/CrescentCore: Mac malware designed to evade antivirus

Intego customers are protected

Users of Intego VirusBarrier X9 (part of Intego's Mac Premium Bundle X9 suite) or Flextivity will be notified if any related malware samples are found on their Mac. The malware will be blocked and quarantined automatically.

If you aren't a VirusBarrier X9 user yet, and if you think your Mac might be infected, you can scan your Mac with VirusBarrier Scanner (available for free on the Mac App Store) to check for any infections. After you scan your Mac, your best bet to prevent future infections is to get VirusBarrier X9, which includes real-time scanning functionality—a critical feature to block malware before it can harm your Mac.

How can I learn more?

We talked about some of this malware on episode 88 of the Intego Mac Podcast—be sure to subscribe to make sure you don't miss any episodes. You'll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.

You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh's security research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →