2023 macOS Malware Round-Up

While macOS systems have a reputation for being less susceptible to malware than other operating systems, they are not immune. For many macOS users, their reputation for security is worth the premium price tag that Apple products come with. However, Mac users should still practice good cybersecurity hygiene, such as not downloading software from untrustworthy sources, regularly backing up important data, and using reliable security software, and yes, macs need anti-virus too.

Let's look at the biggest macOS device threats in the 2023 threat landscape.

Top macOS Malware Threats in 2023

What macOS malware exists in 2023?

Here are the top six our ethical hackers recommend keeping an eye out for:

#1: CloudMensis 

In 2022 ESET researchers discovered a novel macOS backdoor spyware. Dubbed CloudMensis, the malware steals a victim's documents, keystrokes, and screenshots, and sends them to a cloud drive including popular cloud storage applications pCloud, Yandex Disk, and Dropbox. Storage. 

Although CloudMenesis's functionality is rather simple, Apple did acknowledge the increased threat that spyware poses to its users and advises enabling "Lockdown Mode" on iOS, iPadOS, and macOS to reduce the risk of exposing sensitive files to attackers. Lockdown mode is a feature on Apple products that the company claims increases a device's resilience to the most advanced and sophisticated cyber-attacks by strictly limiting the number of available applications. 

#2: Filecoder Ransomware / Locker

Filecoder (aka OSX/Filecoder.E, FindZip, Patcher) is a ransomware strain that targets macOS systems. Discovered by researchers in early 2020, Filecoder gains initial access to victims when they unknowingly install trojanized software disguised as free pirated software. Filecoder is primarily distributed via Torrent peer-to-peer file-sharing sites and once executed, it encrypts the victim's files rendering them useless. 

However, reports warn that the operators behind the Filecoder malware do not reliably return a decryption code, even when victims pay the ransom. Filecoder is also notable for its relatively crude implementation and contained flaws, which sometimes allowed cybersecurity researchers to create decryption tools to recover files without paying the ransom.

#3: AppleJeus

AppleJeus malware is attributed to the Lazarus Group: an advanced persistent threat (APT) cybercrime organization with reported links to North Korea. First discovered in 2018, AppleJeus represented a significant shift in the Lazarus Group's tactics. Before AppleJeus, the group primarily targeted Windows machines, however, with AppleJeus, the group broadened its focus to include macOS, showing an increased level of sophistication.

AppleJeus is designed to infiltrate cryptocurrency exchanges and steal the victim's cryptocurrency. It masquerades as a legitimate-looking cryptocurrency trading software and is distributed through scam websites that imitate real crypto-trading platforms.

Once installed on a victim's machine, AppleJeus calls out to its command and control (C2) servers and exfiltrates sensitive information, including cryptocurrency wallet keys, thus enabling the attackers to steal funds. AppleJeus has also received several updates during its history to improve various capabilities such as evading detection by security products.

#4: NukeSped

NukeSped (aka ThreatNeedle) is a remote access Trojan (RAT) designed specifically for macOS that was first discovered in 2019 and is also attributed to the Lazarus APT. NukeSped is another trojan that masquerades as a cryptocurrency platform and is primarily distributed via a malicious website offering the application for download. NukeSped is also considered an increased threat because it has a wide array of capabilities including ransomware, spyware, and stealer malware.

NukeSped gives an attacker remote access to the victim's network and host device to collect and steal information and import other malware to launch secondary attacks such as ransomware. The NukeSped malware does have advanced capabilities such as executing payloads in memory to avoid detection by anti-virus scanners. 

On the bright side, the trojan application containing NukeSped does not have a digital signature, so macOS Gatekeeper will warn the user before it can be installed. Overall NukeSped is a serious threat and another reminder to avoid installing applications from untrusted sources.

#5: FinSpy

FinSpy (AKA FinFisher) is sold as a legitimate commercial surveillance software developed by the German company Gamma International GmbH. It is considered "governmental malware" or a "lawful intercept" by some IT security industry pundits because it is typically sold to law enforcement and intelligence agencies as a surveillance software tool. However, despite its use by legitimate entities, FinSpy is also a favourite for macOS attacks and has been used in cyber-attack campaigns that target human rights activists and political dissidents in Bahrain, Ethiopia, UAE, and Turkey. Although FinSpy is not limited to use with macOS (it's also available in native Windows, Linux, iOS, and Android apps), it is notable as a macOS malware due to its popularity amongst malicious threat actors.

FinSpy is a powerful spying tool that can monitor various forms of a host device's activity including capturing keystrokes, recording Skype conversations, taking screenshots, accessing emails and instant messages, turning on the device's microphone or webcam, and more. FinSpy is often delivered through phishing emails or malicious websites, although it can also be installed manually if the attacker has physical access to the device. Once installed, it attempts to evade detection by antivirus software and installs itself as a scheduled process to restart each time a system reboots.

#6: EvilQuest

EvilQuest (AKA ThiefQuest, or MacRansom.K) is a ransomware strain first discovered in mid-2020 that targets macOS systems. EvilQuest is typically hidden in pirated software or other illicit software downloads available on torrent sites. During installation, EvilQuest requests administrative privileges from the active user, and once installed, it follows its remote operator's instructions to search the system for valuable file types (such as cryptocurrency wallets and browser password caches), capture and exfiltrate keystrokes, or encrypt the victim's files and create a ransom note demanding payment. Its multi-functionality makes EvilQuest a unique and potent threat. 

macOS users are recommended to download software only from trusted sources, keep their systems and security software updated, and maintain the regular backing-up of important files to mitigate the risk of such ransomware attacks.

Conclusion

macOS systems, despite their reputation for security, are still vulnerable to a range of malware threats with diverse capabilities, although the macOS threat landscape still evolves at a slower pace than attacks that target Windows systems. 

The scope of malware targeting Mac includes backdoor spyware and ransomware, stealers, remote access trojans, and sophisticated surveillance software.  Notably, Apple has responded to threats that target its platform with features such as Gatekeeper and Lockdown Mode, demonstrating their attentiveness and competence in making their users more secure.

Despite these advances in macOS, however, users should still employ caution to mitigate potential attacks by practicing good cybersecurity hygiene, including downloading software from trusted sources, regularly updating their systems, and keeping reliable backups.

Ready to level up your ransomware protection? Kickstart your Compromise Assessment today, or reach out to a member of our team to gain zero-obligation insight into what threats we recommend you focus on to best protect your digital assets.