Thursday, November 20, 2014

Double the Trouble: New Mac Malware Families crosses double figures for the year

This year has been quite a critical year for Apple, from security perspective. From new malware to new exploits and security breach, this year has proven some facts wrong about the Apple ecosystem and about its security. New malware families in number are very common among windows,  but for mac it is a matter of concern because as Mac OS is being adopted by more and more people, chance of getting more and more large scale infection is all time high.

So, here I'm gonna post about some new malware families that have been discovered this year for Mac and Iphone. Remember this article focuses on malware families not their variants. Also a little description what the malware family is all about.

  • LaoShu: LaoShu was spotted earlier this year. It is a data stealer mac trojan, that can also act as a RAT(Remote Administration Tool).
    • Propagation/Infection : The malware has been seen as an attachment to phishing emails. The attachment is often disguised as a pdf or doc file.
    • Motive: The trojan is mainly a data stealer which searches for document files in the system, including DOC, DOCS, XLS, XLSX, PPT, PPTX. The malware then zips all the files and upload them to the CnC server. It also acts a RAT tool for malware authors to perform commands, download files and do other malicious stuff on you mac.
  • Careto/Mask/Appetite:Unveiled by Kaspersky earlier this year, Careto is cross platform APT malware, believed to be a state sponsored, highly sophisticated attack, supposed to be carried out by Spanish malware authors. The malware has infected system in more than 30 countries.
    • Propagation/Infection: The malware spreads through spear phishing attacks to high level people in various big organization. The windows malware is believed to be working for at least 5 years since 2007-2008.
    • Motive: The malware steals confidential data which includes office documents, encryption keys, VPN configurations, SSH keys and RDP files. More info can be found here.
  • Coin Thief: Coin thief steals the bitcoins from user, by monitoring wesbites such as MtGox, BTC-e, for the user credentials.
    • Propagation/Infection: The malware disguises itself as a legitimate application which can be downloaded from various legi websites such as, Once installed, it run as legit app for managing crytpocurrency and also installs plugins in the browsers. The plugins monitors the web traffic for credentials of user in various websites.
    • Motive: The malware's sole motive is to steal user's bitcoins. But it can also receive commands from the server and can update itself. 
  • Netwired/Wirenet: This malware is a updated edition of the one founded in 2012. Basically a bot, the malware executes commands from the masters received through internet.
    • Propagation/Infection: Specific mode is unknown. The malware is being sold for $60 at some underground forums. But the exact way how malware gets into Mac is unknown, but it may include drive by download and email attachments.
    • Motive: The malware is RAT, so basic functionality is that of RAT. But once commands received form the server, it can perform shell execution, take screenshots, monitor processes and scan through the password files of the browsers.
  • VSearch: Actually an adware but considered as malware by many security firms due to its annoying behavior and downloading of malware. Probably one of the most widespread adware in Mac
    • Propagation/Infection: The malware poses as an attractive utility or some tool to tempt the user to download
    • Motive: It installs plugins in browers and like all adware do, it shows ads, modifies search results and also include click jacking to generate (not so) legal cash.
  • Downlite: As the name indicates, downlite is a download manager, which is heavily ad oriented. It will trick user into downloading other adware and malware like tuneupmyMac or MacKeeper.
    • Propagation/Infection: Presents itself as downloader on various downloading sites or in ads on wesites
    • Motive: Tricks user into downloading other adware, takes user to non-legit, torrent websites or sometime harmful websites.
  • VindiInstaller: Another adware perhaps like VSearch, but with different authors, focusing on generating revenue through ads, redirecting search and click jacking. Same functionality like VSearch.
  • XSLCmd: XSLCmd was spotted by Fireeye in september. The malware is believed to be OSX port of APT campaign for windows of the same name. The malware was in VirusTotal but undetected by all the AV vendors. Since there are no timedatestamp on Macho files, date of file creation is unknown.
    • Propagation/Infection: unknown, but believed to be a part of spear phishing emails.
    • Motive: The malware acts as a backdoor and spy. It can receive commands from the server and perform subsequent actions. Other features include hooking of keyboard APIs to perform keylogging. More details can be found here.
  • iWorm: In september, Dr.Web released info about 17000 Macs being infected by a malware called iWorm. iWorm is a backdoor which performs as directed by the server.
    • Propagation/Infection: The malware is spread through pirated software found on the torrent website. Specifically it was found inside patch for Adobe photoshop software.
    • Motive: The malware executes commands as told by the server, also it can download other malware or can update itself. An interesting feature of the malware is that it uses for gettig CnC names. It will perform a search at reddit which returns the CnC server list. Malware uses this list to take commands.
  • Wirelurker: Wirelurker is the latest addition to the ever increasing Mac malware list. Although limited only to China, the malware used unique method of infecting both Mac and Iphone. About 500,000 users are believed to infected with this.
    • Propagation/Infection: The malware first gets installed into the Mac. This happened by installing pirated apps downloaded from maiyadi app store. The app contains the wirelurker malware, which gets installed inside the system and the malware monitors the USB port for Iphone to be attached. When it found Iphone attached to the system, it infects the phone.
    • Motive: This malware is a spy and keep looking for sensitive information on the phone and transmit it to the server.
  • Honorable mention to iCloud hack that exposes nude celebrities' pics. :D . Also to the Masque attack exploit revealed by Fireeye regarding Iphone. More info here.
As far as I know, these are the new addition to the OSX malware families this year. Any contribution, eddition, correction, criticism is highly appreciated.


    1. Mac can't be infected by viruses, but a lot of adware, spyware and other bad things works well on apple platform. If you need detailed information you could find it on You need protection on Mac same as on standard PC.

    2. One of a few normal grievances you hear is individuals proclaiming that their PC is not working great or there are some pop-ups on the web. Indeed, even those that have an almost new PC will all of a sudden begin grumbling about how much time it takes to download only one record, start up the PC or process messages.
      What is malware