Earlier this month, we reflected on the top security and privacy news that impacted the Apple ecosystem in 2023. Today, it’s finally time to review the most notable Mac malware and iPhone malware campaigns of the past year. We’ll also forecast what we can expect to see more of in 2024.
In this article:
- A chronological overview at 2023’s Mac and iPhone malware, by month
- A review of notable 2023 Mac and iPhone malware by classification
- Malware forecast for 2024
- How can I learn more?
Mac malware and iPhone malware chronology of 2023
Following are some notable events in macOS and iOS malware in 2023, broken down by month.
- New variants of CoinMiner cryptojacking malware emerged online.
- SentinelOne reported about SparkRAT, cross-platform malware, being used in an attack campaign dubbed DragonSpark. Although it has a Mac variant, no Macs were reported to have been infected as part of this campaign.
- News stories claimed there was a new Dridex banking Trojan for Mac; Trend Micro later retracted its write-up after realizing that their analysts had found a 2019 sample.
- Patrick Wardle discovered previously unknown malware that he called iWebUpdate. It was first uploaded to VirusTotal in September 2018, and was undetected until Wardle discovered it on Valentine’s Day.
- Several companies wrote analyses of recent cryptojacking malware samples. The write-ups referred to the samples as variants of CoinMiner, I2Pminer, or XMRig.
- The FBI shut down the NetWire (NetWeird) commercial spyware distribution site. Better late than never, but unfortunately, NetWire had enabled surreptitious spying on Mac users for 11 years.
- Samples of RustBucket malware were uploaded to VirusTotal for the first time.
- A research team developed BlackMamba, a proof-of-concept polymorphic keylogger. What’s interesting is that BlackMamba was created using a large language model (LLM). This demonstrated the utility of using ChatGPT-like chatbots to generate malicious code.
- 3CX voice-over-IP software was compromised and distributed Trojanized software infected with SmoothOperator malware. The company’s servers were infected with the POOLRAT backdoor.
- MalwareHunterTeam discovered the LockBit ransomware group’s first Mac malware.
- The same team also discovered GoSorry macOS malware in April.
- The FBI shut down the Turla/Snake malware operation. A Mac variant of this malware was discovered in 2017.
- The “Charming Kitten” APT group used NokNok in the wild against a U.S.-based organization.
- A Web developer first blogged about his concerns over the NightOwl app’s behavior.
- Guardz published a report of ShadowVault Mac malware sold on the Dark Web (without verifying that samples exist).
- Proofpoint wrote a report exposing NokNok malware.
- Intego wrote about several malicious and suspicious iOS App Store apps.
- Guardz published a report of a Mac variant of HVNC malware sold on the Dark Web (without verifying that samples exist).
- YCombinator’s Hacker News linked to the June blog post about NightOwl; Intego investigated and wrote a detailed report about it.
- Jamf published a report about a new XLoader variant.
- Intego warned of even more scam apps in iOS App Store
- Mac data-stealer malware roundup: AtomicStealer, MetaStealer, Realst all active in September
- KandyKorn malware emerged; Elastic published a report about it on Halloween.
- Intego discovered fraudulent apps using the xAI company name in the iOS App Store and Google Play Store.
- Jamf documents the ObjCShellz malware.
- Patrick Wardle analyzed the Turtle ransomware, which was first uploaded to VirusTotal that month.
Mac malware and iPhone malware of 2023, by category
There are various ways by which malware can be classified. For this section, we’ll use broad categories like advanced persistent threats and stealer malware, wherever they best fit. (Note that some malware may fit into multiple categories.)
The most fascinating Mac malware trend of 2023 was the sharp rise in stealer malware. Stealers are designed to exfiltrate sensitive data, often extracted from Web browsers on a victim’s computer. The types of targeted data often includes usernames and passwords, authentication cookies that behave as login credentials, and cryptocurrency wallets.
Early in the year, as ChatGPT gained popularity, malware makers took notice. In March, we wrote about FakeGPT Chrome extensions that hijack Facebook accounts by stealing authentication cookies. (As a side note, in late May and early June, a developer found dozens of malicious extensions in the Chrome Web Store.)
Several Mac-specific stealer families emerged in 2023. These included MacStealer, Atomic Stealer (aka AMOS, short for Atomic macOS Stealer, which was distributed as part of the ClearFake campaign), MetaStealer, GoSorry, Realst and PureLand. Various incarnations steal passwords, cryptocurrency wallets, authentication cookies, and other files from victims’ Macs.
Stealer malware is often available as “malware as a service,” sold via Dark Web forums and Telegram. It’s commonly delivered in the form of a Trojan horse; typically victims think they’re downloading illegally cracked copies of commercial software, and their Mac gets quietly infected when they run it.
Perhaps the most interesting example in 2023 was Realst Stealer, which the developers updated quickly to improve macOS Sonoma support. This malware was distributed via elaborate social media marketing campaigns for video games, targeting people interested in NFTs (non-fungible tokens) and blockchains. The malware was designed to secretively steal victims’ cryptocurrency.
Mac stealer malware continued to evolve and re-emerge through the year; we reported in September that AtomicStealer, MetaStealer, and Realst all had active campaigns that month.
In December, AT&T discovered and wrote about JaskaGO, which included command-and-control capabilities and thus was arguably one of the most severe stealer samples of the year.
Advanced persistent threats (APTs)
There was a ton of Mac malware that APT groups developed and deployed in 2023. Most of them were attributed to threat actors commonly believed to be operating on behalf of North Korea, including the Lazarus Group and BlueNoroff.
The 3CX VoIP company was compromised in March 2023. The company stated that its “macOS build server was compromised with POOLRAT backdoor” malware. 3CX unknowingly distributed Trojanized copies of its own software that were infected with SmoothOperator malware. Infected computers would connect to a command-and-control server. There was some debate as to who was behind the attack; some reported it was the Lazarus Group, others claimed it was a Lazarus sub-group called Labyrinth Chollima, and still others believed it was UNC4736—another group with ties to North Korea.
KandyKorn, a full-featured backdoor, emerged in October. Security researchers at Elastic wrote about it on Halloween. The malware was reportedly designed to infect blockchain engineers. Elastic attributed this threat to the Lazarus Group.
At least two Mac malware campaigns were attributed to North Korean APT group BlueNoroff, which some believe to be a sub-group of, or at least to have ties with, Lazarus Group. The first was RustBucket, which spread in March via Trojan malware disguised as a PDF viewer. In November, Jamf reported on ObjCShellz, which was presumed to have spread through targeted social engineering attacks, like RustBucket.
In June, an APT group targeted a Japanese cryptocurrency exchange with JokerSpy malware. JokerSpy’s origin was unconfirmed, but malware researcher Patrick Wardle noted that it may have been a North Korean threat actor based on a reused IP address.
JumpCloud reported on July 12 that it had been compromised, and would provide further details of the attack as they were uncovered. Malware used in the attack included FULLHOUSE.DOORED, STRATOFEAR, and TIEDYE. Mandiant investigated, and attributed the attack and malware to UNC4899, a North Korean threat actor that likely corresponds to 2022’s TraderTraitor Mac malware.
In July, Proofpoint wrote about NokNok, a Mac port of GorjolEcho Windows malware. NokNok was distributed via a targeted email campaign. Proofpoint attributed this malware to the Charming Kitten APT group, associated with Iran. Although the company provided hashes for NokNok, the samples have not turned up on VirusTotal or other public repositories.
Apparently an Operation Triangulation implant for macOS (associated with TriangleDB, used against Russian iPhones)
iPhone mercenary spyware
Although most people assume that there isn’t any iPhone malware, that isn’t actually the case.
There are several commercial “mercenary” spyware companies that sell their wares to government and law enforcement agencies. Unfortunately, governments have been caught abusing these tools to spy on journalists, politicians, dissidents, and their own citizens. The NSO Group’s Pegasus spyware continues to appear in headlines. The Citizen Lab and Microsoft released reports indicating that QuaDream’s KingsPawn spyware was used to hack iPhone victims with rogue calendar invites. Kaspersky Lab revealed that several vulnerabilities were chained together to infect iPhones in Russia with TriangleDB spyware this year; Apple has since patched these vulnerabilities. In September, Apple patched vulnerabilities exploited by Predator spyware. Meanwhile, which it didn’t get as much attention in 2023, Italy-based RCS Lab also develops Hermit spyware.
If you feel you have an elevated need to protect yourself from sophisticated threat actors, Apple users should use Lockdown Mode. This high-security mode is available on Macs, iPhones, and as of late 2023, the Apple Watch, too. It’s a bit inconvenient to use devices with Lockdown Mode enabled, as it’s designed to disable several common features, such as the ability to view PDFs in Safari or sent via iMessage. But, as reported by The Citizen Lab, Lockdown Mode has been proven to limit such malware’s ability to infect iPhones.
Apple banned all antivirus software from the iOS App Store in 2015. But perhaps in the future, at least in the EU given its new rules taking effect in March, we may see the return of antivirus apps that can run directly on iOS. In the meantime, VirusBarrier X9 is the only Mac antivirus utility designed to scan iPhone, iPad, and iPod touch for a wide variety of malware files.
Potentially unwanted apps (PUAs/PUPs) and fraudulent apps
First, let’s talk about a potentially unwanted Mac app, then we’ll look at iOS and iPadOS threats (which can also be installed on Apple silicon Macs via the Mac App Store).
In August, Intego published a detailed investigative report about an app called NightOwl. A blog post claimed that the software joined Macs to a botnet army, so we investigated. It turned out that NightOwl had been sold by the original developer to a different software development team, and they had made some sketchy changes. While the app wasn’t observed doing anything overtly malicious, it contained code that indicated that could potentially let users’ Macs be leveraged by unscrupulous third parties using a “residential proxy” service. Read our report for more details.
And now let’s shift to potentially unwanted and fraudulent apps found in the iOS and iPadOS App Stores.
Throughout the year, many mobile app developers engaged in unethical behavior, and somehow their apps were still approved by human App Store reviewers.
One developer published a fake Threads app, designed to look like Meta’s (ostensibly “Instagram’s”) new social network app, that charged exorbitant subscription fees. It was available in regions where the real Threads app had not yet launched, making it especially likely that victims in those regions could encounter it and think it was the real Threads app.
Later in the year, after Elon Musk-owned xAI announced its Grok chatbot (a ChatGPT competitor), Intego reported on multiple fake xAI apps in the App Store—none of which were actually affiliated with the AI startup.
Meanwhile, fraudulent loan apps were a persistent problem in the App Store throughout 2023. In some countries—such as India, Indonesia, Nigeria, the Philippines, and Thailand—financial loan apps are very popular. One researcher named Babu singlehandedly found and reported more than 200 fraudulent loan apps to Apple in 2023. Based on Babu’s research, these fraudulent apps likely had millions of cumulative downloads throughout 2023; in a particular one-week period in August, just five of fraud apps had garnered hundred of thousands of downloads, as Intego reported in September.
Completed 6 months today since I started eating #FraudLoanApps for breakfast, lunch and dinner.
🔸Total Apps Removed = 2344
🔸Google Play Store = 2125
🔸iOS App Store = 219
…and this is just a beginning 🥷
— Babu (@pooniawalla) December 23, 2023
Other examples of Mac malware include various CoinMiner variants; these are cryptocurrency mining software, often installed by threat actors as part of a cryptojacking campaign. The term cryptojacking refers to mining for cryptocurrency using someone else’s computing resources, without their explicit permission or consent.
Worth a brief mention is SparkRAT: an open-source, cross-platform remote access tool that has been in development since 2022. SentinelOne wrote in January 2023 that SparkRAT had been used in an attack campaign dubbed DragonSpark, although they did not report that any Macs were infected as part of this campaign.
FBI takedowns of malware
The FBI was involved in takedowns of at least two Mac-connected malware operations in 2023.
In March, the FBI and collaborators shut down the distribution servers of NetWire (aka NetWeird), which was commercial spyware. Unfortunately, NetWire had enabled surreptitious spying on Mac users for 11 years; Intego first reported about it in 2012.
Later, in May, the FBI and other U.S. and international agencies worked together to shut down Turla’s Snake malware operation, as we reported on in episode 291 of the Intego Mac Podcast. A Mac variant of the Snake malware was discovered six years prior; Intego reported about it in May 2017.
AI’s impact on malware in 2023
It’s undeniable that AI tools similar to ChatGPT have made it easier for less sophisticated coders to write malware. Back in February, we wrote that “ChatGPT is malware makers’ new A.I. partner in crime,” as it had been repeatedly jailbroken (i.e. its guardrails circumvented) to write malware, phishing messages, and other potentially harmful content.
In July, reports emerged about WormGPT, which threat actors were beginning to use to generate phishing e-mails targeted at businesses; we discussed this on episode 301 of the Intego Mac Podcast. WormGPT is specifically designed for black-hat hackers’ use; thus it’s only available via the Dark Web, making it more difficult for law enforcement to shut down.
In early November, Elon Musk-owned artificial intelligence startup xAI launched Grok, its own ChatGPT-like chatbot. While not specifically designed for malware or phishing content creation, it’s able to do both, sometimes with a bit of prodding. Unlike ChatGPT, which simply blocks such queries, Grok provides the requested output while warning about ethical considerations. The company hasn’t said whether additional guardrails may be put in place eventually. Grok isn’t free; currently the only way to access it is to pay $16 per month for X Premium+, the highest paid tier of X (formerly known as Twitter).
In December, WhiteRabbitNeo launched as a tool for offensive and defensive cybersecurity. With a ChatGPT-like interface, it’s specifically designed for red, blue, and purple teamers (i.e. people hired to ethically attack and/or defend corporate environments). Its usage agreement prohibits use by militaries as well as a variety of unethical uses such as intentionally spreading misinformation. But, of course, there’s no way to prevent less-ethical individuals from violating the usage agreement.
It’s important to emphasize that any tool can be used for good or for evil. The same AI tools that black-hat threat actors use to create malware can also be used by white-hat security researchers trying to make the world safer for everyone.
Malware forecast for 2024
Given the sharp rise in stealer malware in 2023, and the lack of mitigations for such threats, we expect this trend to continue well into 2024. Browser makers should work together to identify better ways to safeguard browser data on the client side. And more importantly, Internet standards bodies should work with providers of Web services to validate that authentication cookies have not been stolen from a victim and reused by an attacker.
Each year we continue to see more macOS malware written by sophisticated and well-funded attack groups. And in 2023, there were more reports than ever about iOS APT malware. We fully anticipate observing more Mac-targeted and iPhone-targeted APT malware surfacing throughout 2024.
And everyone always wants to know how the rise of AI will impact malware. Given the ease at which attackers with little to no coding experience can now get LLMs to write code for them, it won’t be surprising to see more chatbot-generated malware in 2024. So yes, there will be more AI-generated malware in 2024. However, it may not always be easy to identify malware as being generated by AI. Threat developers often reuse code anyway, and chatbots are trained on publicly available data, including malware for which source code is readily available online.
How can I keep my Mac safe from malware?
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate all of the malware covered in this write-up, and a lot more.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: