Recent developments highlight an increasing threat landscape for macOS users, as attackers adopt sophisticated techniques to target this platform. Traditionally seen as secure from malware, macOS is now under significant threat from various cyber-attacks. Microsoft has aggregated recent OSINT trends in threats to macOS, providing a comprehensive overview and recommendations for defending against these emerging threats.
Recent OSINT Trends in Threats to MacOS Technical Overview
Trends in Types of Attack and Targets:
- Malicious Ads and Software Distribution: Cybercriminals are using malvertising campaigns and compromised websites to distribute malware to Mac users. This involves leveraging legitimate ad networks to spread malicious content, with incidents increasing as threat actors refine their techniques. In March 2024, a significant threat was identified targeting Chinese users through modified versions of popular text editors that included backdoors. Another notable incident in January 2024 involved the Atomic Stealer malware, which stole sensitive data from Mac users through deceptive DMG file installations.
- Social Engineering Campaigns: Threat actors employ social engineering tactics to deceive Mac users into downloading malware-laden software. Examples include the KandyKorn campaign by North Korean actors, which targeted blockchain engineers with a C++ backdoor disguised as a crypto arbitrage bot. Other notable campaigns include RustBucket, which used a malicious PDF Viewer to deploy Rust-based malware, and Sapphire Sleet, which lured users through LinkedIn and Telegram with malicious files.
- Exploiting Software Vulnerabilities: Cybercriminals exploit vulnerabilities in popular software to distribute malware. This includes using modified text editors and cracked software to deliver trojans and proxy malware. In December 2023, a new trojan-proxy was discovered, using cracked software installers to build a proxy server network and perform various criminal activities.
Threat Actors and Their Tactics
- State-Sponsored Threat Actors: State-sponsored threat actors, particularly from North Korea, have intensified their focus on macOS. Groups tracked by Microsoft, such as Sapphire Sleet, Jade Sleet, and Citrine Sleet, use sophisticated tactics to compromise Mac systems. These tactics include masquerading as legitimate entities, social engineering, and distributing malware through fake cryptocurrency apps and websites.
- Jade Sleet: Specializes in targeting cryptocurrency-related organizations using multi-platform malware frameworks.
- Citrine Sleet: Targets financial institutions and cryptocurrency managers with malware like AppleJeus to seize control of cryptocurrency assets.
What Our Threat Intelligence Team is Seeing
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
- Trojan:MacOS/SamScissors
- Trojan:MacOS/KandyKorn
- Trojan:MacOS/AppleJeus
- Backdoor:MacOS/AppleJeus
- Trojan:MacOS/NukeSped
- Trojan:Script/RustBucket
- Backdoor:IRC/Mata
Microsoft Defender for Endpoint
The following alerts might also indicate threat activity associated with this threat.
- Suspicious AppleScript activity
- Emerging threat activity group Citrine Sleet detected
- Sapphire Sleet actor activity
- Suspicious activity linked to a North Korean state-sponsored threat actor has been detected
- ‘AppleJeus’ malware was prevented
- ‘AppleJeus’ backdoor was prevented
- ‘KandyKorn’ malware was detected
- ‘KandyKorn’ malware was prevented
- ‘RustBucket’ malware was detected
- ‘RustBucket’ malware was prevented
- Endpoint attack notifications: Credential access leading to Atomic Stealer Malware.
- ‘Electron’ malware was detected
Microsoft Defender for Office 365
The following alerts in your portal indicate that a malicious attachment has been blocked, although these alerts are also used for many different threats:
- Malware campaign detected and blocked
- Malware campaign detected after delivery
- Email messages containing malicious file removed after delivery
What We Suggest to Mitigate Recent OSINT Trends in Threats to MacOS
- Use Microsoft Defender Antivirus:
- Enable and configure Microsoft Defender Antivirus to protect against these threats.
- Turn on automatic sample submission to leverage AI and machine learning for rapid threat identification and prevention.
- User Education:
- Train users on protecting personal and business information on social media.
- Teach users to identify phishing lures and suspicious activities, and to report them promptly.
- Instruct users to ignore or delete unsolicited emails and attachments.
- Security Settings:
- Enable tamper protection in Microsoft Defender for Endpoint to prevent unauthorized changes to security settings.
- Encourage good credential hygiene and enable the Microsoft Defender Firewall.
- Incident Response:
- Isolate compromised systems immediately and reset credentials and tokens.
- Investigate device timelines for lateral movement activities and check for additional attacker tools.
- Prevent Initial Compromise:
- Enable Safe Links and Safe Attachment policies in Defender for Office 365.
- Enable real-time protection and behavior monitoring in Microsoft Defender Antivirus for macOS.
- Advanced Protection:
- Run endpoint detection and response (EDR) in block mode to allow Microsoft Defender for Endpoint to block malicious artifacts even if another antivirus is in use.
DIFEND WITH CONFIDENCE