According to researchers Claudio Guarnieri and Collin Anderson, there is a new Mac malware possibly created in Iran that targets companies and individuals connected to the US defense industry. The malware hides in a fake Flash update that, once installed, it harvests data from the infected Mac.
The two researchers have discovered the malware on site that has been referenced Lockheed Martin, Sierra Nevada Corporation, and Boeing and which impersonated “United Technologies Corporation”, an US aerospace firm. This site has tried to attract potential victims by offering “Special Programs and Courses” and previously, it was used to spread Windows malware to infected systems. It is believed that the host is “maintained by Iranian actors” who had other phishing attempts in the past. They’ve also created fake sites for a dental office and tried their luck with a fake US Air Force training page that lured many victims.
When visiting these websites, users get infected with malware that detects if the device runs on Windows or macOS. When it comes to “MacDownloader”, the malware creates a fake Adobe Flash Player dialog that prompts users to install the latest Flash player version, but users are allowed to close the window. If they fall for the trap and accept the update, they see a second dialog that suggests them to download an “Adware Removal Tool by Bitdefender” that will search for adware.
Claudio Guarnieri and Collin Anderson also suggest that at first, MacDownloader was a fake virus removal tool, but its creators have repackaged it as fake Flash Player update. After it gets installed, the malware collects data from the Mac and sends the user’s Keychain and other data to the hacker’s server. The attackers will be able to access the encrypted Keychain data by getting the username and password provided by victims after they see a fake System Preferences dialog.
The good news is that the hackers have poorly developed the code, so they’re not professionals, as there have been discovered many spelling and grammar issues, and the code that prompts to change from Flash to Bitdefender in the dialog boxes might have been copied from another source. “Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work,” said the researchers.