Although macOS is widely perceived as more secure than Windows, 2024 revealed a worrying trend – a notable increase in Mac-targeted threats. From infostealers like Amos Atomic and Poseidon to advanced nation-state campaigns like BeaverTail and RustBucket, threat actors are exploiting macOS design elements to compromise corporate environments.
An over-reliance on the security mechanisms built-in to macOS can leave organizations vulnerable to attacks, so it’s key for organizations to recognize these risks and understand how to mitigate them effectively.
Phil Stokes
Social Links Navigation
macOS Threat Researcher at SentinelOne.
The Rise of macOS crimeware
There is a growing concern about the presence of malware on macOS, a problem that was relatively minor ten years ago. One contributing factor is the increased prevalence of Macs in business environments, a significant shift from the late 2010s, that has made them more attractive to attackers.
Threat actors have realized there is money to be made from Mac users. As a result, cybercriminals are increasingly targeting them, recognizing the value of these devices for conducting malicious activities.
Additionally, there are more targeted attacks in business environments. Beyond general attacks, Mac users in business environments face targeted attacks from sophisticated threat actors who aim to steal sensitive company data or disrupt operations.
Today, there are more threats to Macs than ever before, but awareness of these threats remains low. In contrast, most Windows users are generally aware of the need for the best antivirus software . However, Mac users often believe their devices are safe by design, a misconception that needs to be reconsidered given the current threat landscape.
Mac myth-busting
While the myth that “Macs don’t get malware” has been thoroughly debunked, a lingering perception persists that macOS is inherently safer than other OSes. This belief stems from comparisons to Windows, which faces a staggering volume of malware, but it doesn’t mean that threat actors aren’t actively targeting Macs, too.
2024 saw a significant uptick in macOS-focused crimeware. Infostealers-as-a-service, such as Amos Atomic, Banshee Stealer, Cuckoo Stealer, Poseidon and others, represent a significant portion of these threats. These tools are designed for quick, opportunistic attacks, aiming to steal credentials, financial data, and other sensitive information in one fell swoop.
Amos Atomic, which reportedly began as a ChatGPT project in April 2023, has quickly evolved into one of the most prominent Malware-as-a-Service (MaaS) platforms targeting Mac users. Initially a standalone offering, Amos Atomic has splintered into multiple variants, including Banshee, Cthulu, Poseidon, and RodrigoStealer. These versions are now developed and marketed by competing crimeware groups, spreading rapidly and affecting businesses throughout 2024.
What sets this malware family apart is its shift in distribution tactics. Instead of focusing on cracked games or user productivity apps , it now spoofs a wide range of enterprise applications, significantly broadening its reach and posing a greater threat to corporate environments.
Safe – or unsafe – by design?
For convenience, Apple designed Macs so that a single password could be used to unlock the device and allow administrator functions. This means that by default, the same password is used for logging in, installing software, and unlocking the Keychain – the database built into macOS that stores other passwords, including online credentials saved in the browser, application certificates, and more.
In addition, a built-in AppleScript mechanism makes it easy for attackers to fake a legitimate-looking password dialog box. Malware that successfully spoofs a password dialog box to install a fake program is then able to access all the sensitive data stored in the Keychain.
This straightforward yet effective approach is widely adopted by the rash of infostealers currently plaguing macOS businesses and home users. Given how deeply these features are integrated into the system itself, this technique is unlikely to be mitigated by Apple any time soon.
Advanced adversaries: Staying hidden in plain sight
Rather than the quick-hit tactics of smash-and-grab infostealers, advanced adversaries such as nation-state actors also aim to persist on the device over time. Their goal is to maintain long-term access to compromised devices, often for espionage or other high-value objectives. With Apple introducing user notifications for background login items in macOS Ventura, attackers have adapted by exploring new ways to remain undetected.
Common techniques include trojanizing software, which consists of compromising popular or frequently used applications to ensure the malicious code runs regularly. This can involve infecting development environments such as Visual Studio and Xcode with malicious payloads.
Additionally, leveraging Unix components, threat actors are exploiting overlooked command line elements like zsh environment files (“.zshenv” and “.zshrc”), which execute whenever the user opens a new terminal session, granting the attacker persistent access to the system.
Such tactics underscore the importance of scrutinizing trusted applications, development tools, and the underlying command line environment.
Defensive strategies for organizations
To protect against the rising tide of macOS threats, organizations should implement proactive and comprehensive security measures. Key defensive strategies include:
Control user actions: Recognize that most malware on Macs comes through user interaction. Use device management to control what users can change and do on their devices and limit admin privileges to reduce the risk of malware installation.
User education: Educate employees on the risks of using Apple’s built-in Passwords app and Keychain for storing corporate credentials. Instead, mandate the use of trusted third-party password managers that provide stronger security and compartmentalization.
Ensure visibility: Implement software that provides visibility into the system to monitor changes and detect suspicious activities. Understand how to check for malware and what tools to use for confidence in the system’s security.
Adopt robust security solutions: macOS’s built-in XProtect malware detection is updated infrequently and offers limited coverage. Organizations should deploy an advanced security solution that provides real-time threat detection and prevention.
Rethinking macOS security
The perception that macOS is inherently more secure can create a dangerous blind spot for organizations. Macs are not necessarily more “secure by design” than any other computing platform, and the evidence from 2024 demonstrates that threat actors are increasingly targeting them.
Organizations must treat macOS as a primary target in their security strategy, adopting a layered defense approach and educating users about the risks.
By recognizing and addressing these vulnerabilities, organizations can mitigate the risks of betting too heavily on macOS security – and avoid becoming sitting ducks for the next wave of attacks.
We list the best antivirus software for Mac .
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
+ There are no comments
Add yours