{"id":22175,"date":"2023-12-08T08:17:40","date_gmt":"2023-12-08T13:17:40","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/macos-users-cyberthreats-2023\/22175\/"},"modified":"2023-12-11T15:08:45","modified_gmt":"2023-12-11T11:08:45","slug":"macos-users-cyberthreats-2023","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/macos-users-cyberthreats-2023\/22175\/","title":{"rendered":"Are Macs safe? Threats to macOS users"},"content":{"rendered":"

Many Apple users believe the macOS operating system is so secure that no cyberthreats can harm them, so they don\u2019t need to worry about protecting their devices. However, this is far from the case: while there is<\/em> less malware for macOS, it\u2019s still much more common than Apple device owners would like to think.<\/p>\n

In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we\u2019ll look at three recent studies on several malware families that have been published over the past few weeks.\n<\/p>\n

BlueNoroff attacks macOS users and steals cryptocurrency<\/h2>\n

\nIn late October 2023, our researchers discovered a new macOS Trojan<\/a> that\u2019s believed to be associated with BlueNoroff<\/a>, the \u201ccommercial wing\u201d of the Lazarus<\/a> APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system \u2014 including the notorious heist of the Bangladesh Central Bank<\/a> \u2014 and secondly, stealing cryptocurrencies from organizations and individuals.<\/p>\n

The discovered macOS Trojan downloader<\/a> is distributed within malicious archives. It\u2019s disguised as a PDF document titled \u201cCrypto-assets and their risks for financial stability\u201d, with an icon that mimics a preview of this document.<\/p>\n

\"BlueNoroff\/RustBucket:<\/a>

Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source<\/a><\/p><\/div>\n

Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that\u2019s not all that happens. The Trojan\u2019s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.\n<\/p>\n

Proxy Trojan in pirated software for macOS<\/h2>\n

\nIn late November 2023, our researchers discovered another malware instance that threatens Mac users \u2014 a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist<\/a>.<\/p>\n

As mentioned earlier, this malware belongs to the category of proxy Trojans \u2014 malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.<\/p>\n

Alternatively, the Trojan\u2019s owners might directly use the infected computers to carry out criminal activities in the victim\u2019s name \u2014 whether it\u2019s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.\n<\/p>\n

Atomic stealer in fake Safari browser updates<\/h2>\n

\nAlso in November 2023, a new malicious campaign was discovered<\/a> to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers<\/a>. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim\u2019s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.<\/p>\n

The Atomic Trojan was first discovered and described<\/a> back in March 2023. What\u2019s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.<\/p>\n

\"Fake<\/a>

A site with fake Safari browser updates that actually contain the Atomic stealer. Source<\/a><\/p><\/div>\n

Once running on a system, the Atomic Trojan attempts to steal the following information from the victim\u2019s computer:\n<\/p>\n