Malware

SmoothOperator: 3CX VoIP app spreads Mac malware by Lazarus Group APT

Posted on by

SmoothOperator is one of three new Mac-infecting malware families that came to light in March (the others being FakeGPT and MacStealer).

Let’s take a look at what SmoothOperator does, who’s behind the campaign, and how you can avoid or clean up an infection.

What should I know about SmoothOperator?

SmoothOperator is a malware campaign built upon what’s known as a software supply chain attack. In other words, the normal distribution method for some legitimate software was compromised and infected with malware.

We’ve seen supply chain attacks on Mac software before; for example, the BitTorrent client app Transmission was compromised twice in 2016, once to distribute KeRanger ransomware and later to steal macOS Keychain contents via Keydnap malware.

But in this case, SmoothOperator was the work of a sophisticated, nation-state level attacker, also known as an advanced persistent threat (APT). The particular APT group in this case is believed to be Lazarus Group, best known among Mac users for its Operation AppleJeus campaign.

Apparently, as part of the SmoothOperator campaign, the Lazarus Group compromised the servers of voice over IP (VoIP) software maker 3CX, and maliciously modified both its Windows and macOS desktop client apps.

Users of the software began to get warnings from their antivirus software on March 22 that something seemed amiss, but 3CX’s tech support representative dismissed it as a false positive and blamed the antivirus vendor. Unfortunately, it turned out that the company’s software was, in fact, infected after all.

How can one remove or prevent SmoothOperator and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate this Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

How can I learn more?

For additional technical information about the SmoothOperator malware, you can refer to the original write-up by CrowdStrike and the first and second write-ups of the Mac version by Patrick Wardle.

We briefly discussed Honkbox on episode 286 of the Intego Mac Podcast:

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →