Man
Professional
- Messages
- 2,965
- Reaction score
- 488
- Points
- 83
The growing popularity of the system gave a new impetus to hackers and viruses.
In recent years, the threat landscape for the MacOS operating system has changed significantly, Trellix noted. According to StatCounter, MacOS usage grew by 2% when comparing the periods from January 2021 to January 2023 and from January 2023 to August 2024. The growing popularity of the platform among corporate users is attracting the attention of cybercriminals - from groups specializing in financial crimes to representatives of advanced persistent threats (APTs).
The attractiveness of MacOS for cybercriminals is due not only to the increase in the number of devices, but also to the status of users. Unlike trading terminals, where MacOS is rare, the operating system is more commonly used by developers, information security specialists, vice presidents, and senior executives. Access to the devices of such users opens up opportunities for fraudulent transactions, obtaining confidential information, or disabling internal digital security systems.
The proliferation of threats is facilitated by the growing use of cross-platform programming languages such as Golang in the creation of malware. Unlike traditional languages like C++, which require significant code refinement to work on different platforms, modern multiplatform languages make it possible to include MacOS in the list of target systems for attacks with minimal effort.
The North Korean hacker group Lazarus is particularly active in attacks on MacOS. Since 2018, the group has been spreading malware through fake cryptocurrency trading applications, as MacOS is more prevalent among cryptocurrency users and enthusiasts. An example is the GMERA malware embedded in fake platforms like "Union Crypto Trader." Victims are attracted through phishing emails and sophisticated social engineering techniques. Once installed, the malware gains control over MacOS systems via LaunchDaemons or LaunchAgents.
By 2020, Lazarus had expanded its arsenal with cross-platform malware. The ElectroRAT campaign, which took place in 2020-2021, targeted cryptocurrency users on MacOS, Windows, and Linux systems. The group created fake websites and fake Internet profiles to promote malicious applications on cryptocurrency forums. The malware provided backdoor access to the victims' systems.
Lazarus has also launched supply chain compromise attacks with XcodeSpy, which targets MacOS developers. The attackers injected malicious scripts into open-source repositories. When compiling infected Xcode projects, developer systems were infected. This approach not only gave access to development environments, but also created risks for the software as a whole.
In 2022-2023, Lazarus increased its focus on corporate goals. The group conducted phishing campaigns under the guise of recruiting, distributing signed malware disguised as files for job seekers. Once opened, the files installed programs to steal corporate data.
The group actively uses the cross-platform programming languages Python, Golang, and Rust. In 2023, the RustBucket malware, a multi-stage backdoor for MacOS written in Rust, was discovered. The program uses AppleScript to load the payload and uses LaunchAgents to gain a foothold on the system.
Experts emphasize that the widespread opinion about the increased security of MacOS is based only on the lower prevalence of the system. As the popularity of the platform grows in the corporate sector, so does the number of targeted attacks on MacOS users. Although the article mentions specific groups from certain regions, the list of threats is much wider.
Source
In recent years, the threat landscape for the MacOS operating system has changed significantly, Trellix noted. According to StatCounter, MacOS usage grew by 2% when comparing the periods from January 2021 to January 2023 and from January 2023 to August 2024. The growing popularity of the platform among corporate users is attracting the attention of cybercriminals - from groups specializing in financial crimes to representatives of advanced persistent threats (APTs).
The attractiveness of MacOS for cybercriminals is due not only to the increase in the number of devices, but also to the status of users. Unlike trading terminals, where MacOS is rare, the operating system is more commonly used by developers, information security specialists, vice presidents, and senior executives. Access to the devices of such users opens up opportunities for fraudulent transactions, obtaining confidential information, or disabling internal digital security systems.
The proliferation of threats is facilitated by the growing use of cross-platform programming languages such as Golang in the creation of malware. Unlike traditional languages like C++, which require significant code refinement to work on different platforms, modern multiplatform languages make it possible to include MacOS in the list of target systems for attacks with minimal effort.
The North Korean hacker group Lazarus is particularly active in attacks on MacOS. Since 2018, the group has been spreading malware through fake cryptocurrency trading applications, as MacOS is more prevalent among cryptocurrency users and enthusiasts. An example is the GMERA malware embedded in fake platforms like "Union Crypto Trader." Victims are attracted through phishing emails and sophisticated social engineering techniques. Once installed, the malware gains control over MacOS systems via LaunchDaemons or LaunchAgents.
By 2020, Lazarus had expanded its arsenal with cross-platform malware. The ElectroRAT campaign, which took place in 2020-2021, targeted cryptocurrency users on MacOS, Windows, and Linux systems. The group created fake websites and fake Internet profiles to promote malicious applications on cryptocurrency forums. The malware provided backdoor access to the victims' systems.
Lazarus has also launched supply chain compromise attacks with XcodeSpy, which targets MacOS developers. The attackers injected malicious scripts into open-source repositories. When compiling infected Xcode projects, developer systems were infected. This approach not only gave access to development environments, but also created risks for the software as a whole.
In 2022-2023, Lazarus increased its focus on corporate goals. The group conducted phishing campaigns under the guise of recruiting, distributing signed malware disguised as files for job seekers. Once opened, the files installed programs to steal corporate data.
The group actively uses the cross-platform programming languages Python, Golang, and Rust. In 2023, the RustBucket malware, a multi-stage backdoor for MacOS written in Rust, was discovered. The program uses AppleScript to load the payload and uses LaunchAgents to gain a foothold on the system.
Experts emphasize that the widespread opinion about the increased security of MacOS is based only on the lower prevalence of the system. As the popularity of the platform grows in the corporate sector, so does the number of targeted attacks on MacOS users. Although the article mentions specific groups from certain regions, the list of threats is much wider.
Source
