Attacking Apple: Mac Malware and Zero-Day Threats in 2021

Joshua A. Long

Intego

Abstract:

If you ask the average person, they probably think that malware is a big problem for Windows, but not for Mac. Apple touts its supposed focus on user privacy, new security features are added to Apple’s operating systems every year, and it’s rare to hear about Mac malware in the mainstream news. But are Macs really as safe as people think?

In this presentation we will discuss the evolution and current state of Mac malware, focusing on new threats. We’ll unveil intriguing tales of the discovery of new malware, threat actors’ exploitation of zero-day vulnerabilities, malware that targets the latest Macs with Apple Silicon (M1) processors, and more. We’ll also examine why it’s critical to stay on the very latest version of macOS, even though the operating system itself doesn’t protect against every threat.

Additional Details:

This presentation may potentially discuss (as time permits; I will focus on the most interesting aspects of malware campaigns such as the following):

• Zero-day exploitation of CVE-2021-30657 by Mac malware – Python malware that bypassed Apple’s Gatekeeper protection
• My discovery of IncendiPlant malware – my own original research, not yet published
• AdLoad adware/bundleware loaders went entirely undetected by Apple’s XProtect definitions
• Silver Sparrow: 40,000 Macs infected by mysterious M1-native malware – see my write-up at https://www.intego.com/mac-security-blog/silver-sparrow-40000-macs-infected-by-mysterious-m1-native-malware/
• GravityRAT and IPStorm: Mac malware, ported from Windows – see my write-up at https://www.intego.com/mac-security-blog/gravityrat-and-ipstorm-mac-malware-ported-from-windows/
• Discussion of other zero-day threats (in addition to CVE-2021-30657, mentioned above) that Apple patched in 2020/2021 and noted were actively exploited in the wild
• My original research into whether the latest version of macOS is safer than the two previous versions (Apple releases patches for the current and two previous macOS versions, but unbeknownst to most people, not every vulnerability gets patched for the two previous operating systems)