Intego Mac Security Podcast

A Look Back at 2023’s Mac Malware, and What To Expect in 2024 – Intego Mac Podcast Episode 329

Posted on by

We take a close look at the malware that has affected the Mac, iPhone, and iPad in 2023, and highlight which types of malware are likely to be common in 2024.


If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.


Transcript of Intego Mac Podcast episode 329

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday February 1, 2024. This week’s Intego Mac Podcast takes a special look at the malware affecting Macs and iPhones in 2023. Now, here are the hosts of the Intego Mac Podcast: veteran Mac journalist Kirk McElhearn and Intego’s Chief Security Analyst, Josh Long.

Kirk McElhearn 0:31
Good morning, Josh, how are you today?

Josh Long 0:32
I’m doing well. How are you, Kirk?

Kirk McElhearn 0:34
I’m doing a little bit better. Now if people notice that my voice sounds the same as last week’s episode it’s because we’re recording on the same day. Josh is in an undisclosed location. And this week, we want to take a look back at Mac malware in 2023. And what we can expect in 2024. We’re gonna go through this in several categories. Because there’s been a lot of malware. I think, in all the years that we’ve been doing this sort of podcast episode and article, this is the most that I’ve seen in one year of different things, even a lot of them have similar actions. We want to start with ChatGPT. Which, what is it a little more than a year now since ChatGPT broke out, and you say is the malware makers new AI partner in crime?

Josh Long 1:16
That was an article I wrote early last year. This was when people were just starting to experiment more with ChatGPT. It came out I think, in November 2022. But it really started to pick up steam at the beginning of the year, as more people were hearing about it and hearing about what it could do for them. More people were curious about it and started trying it out. And of course, naturally security researchers and bad guys started experimenting with ChatGPT to see what they could do as far as creating malware. Now, of course, OpenAI, the company that makes ChatGPT put some guardrails in place to make sure that it was difficult to create malware and do some overtly malicious things with with the software. But some clever researchers came up with the idea of tricking ChatGPT into thinking that it was a different chatbot named “DAN”, which stood for “do anything now”. So they would tell ChatGPT these are your new rules. And of course, people have come up with other ideas as OpenAI has continued to patch these things. In the meantime, though, there have been a lot of other competitors that are more specifically designed to work with you to allow you to to create malware to or to write phishing campaigns and other things like that. Worm GPT is one that has been notorious for being on the dark web and obviously has a attacker perspective, like a bad guy more perspective on things. One that actually came out just pretty recently is called White Rabbit Neo. And it has a more good guy centric focus. But you can of course use it for potentially malicious things as well. So the idea being that if you’re a red teamer, or somebody who is hired to attack things in order to make sure that they are robust from when the real bad guys come along, you know, the idea is that White Rabbit Neo gives you all those capabilities, but packaged in such a way that it’s it’s designed to be used by the good guys. Meanwhile, also xAI one of Elon Musk’s companies, of course, because it’s named X something came out with a chatbot called Grok, which if you ask it nicely, it will often be able to produce malware content for you, as well as phishing content and other things as well. So there are lots of these ChatGPT like tools out there now that make it easier than ever for bad guys to write malicious code.

Kirk McElhearn 3:49
Okay, we have a couple of reports of the FBI shutting down malware makers, and this deserves a “finally”, doesn’t it?

Josh Long 3:56
Well, yeah, it does. So one of those examples was NetWire malware, which 11 years prior NetWire started to be a problem for the Mac, if you’re a longtime Mac user, you might remember headlines way back in the day about NetWire, NetWeird, and it had some other nicknames as well. But this malware has been around on the Mac for a long time. And this was commercial spyware, but of course designed really to be used by bad guys to spy on other people without their permission. And so after 11 years, the FBI finally shut them down. Also, the FBI shut down servers for Sneak malware, which we wrote about there was a Mac version of it way back in 2017. So the FBI took a long time, but hey, at least they’re finally getting around shutting down some of these bad guys.

Kirk McElhearn 4:50
Okay, so one of the biggest families of malware that we’re seeing lately is Stealer malware and what it does is it gets on your device and it wants to, as Josh likes to say exfiltrate data from your device. It wants to copy your passwords and usernames, and it’s often targeting cryptocurrency wallets.

Josh Long 5:08
That’s right cryptocurrency wallets have been one of the really big targets. And by the way, there are tons of families of Stealer malware on the Mac, many of them surface for the first time in 2023. Just to give you a quick rundown of some of the names, so there was FakeGPT. This was actually a Google Chrome extension. So this was cross platform. And it was specifically designed, it was meant to be supposedly an extension that would give you access to ChatGPT within your browser. And what it actually did was it hijacked your Facebook accounts by stealing your cookies. There have been a bunch of others. MacStealer, AtomicStealer, released MetaStealer. Those are just some examples of malware on the Mac this year that have been specifically designed to steal cookies, authentication cookies, so that bad guys can log into your accounts without having to know your password without having your two factor authentication methods. And also to steal your cryptocurrency wallets. Usually all of that has been stolen out of your browser, by the way, as well as like you mentioned your passwords and usernames.

Kirk McElhearn 6:17
And this is the kind of malware that if it works, we don’t even know it’s there. Unless, unless you’re using Intego Virus Barrier.

Josh Long 6:25
That’s right, very often Stealer malware tries to hide itself. And so you won’t necessarily know there won’t be big flashy alerts saying oh, your computer is infected. You need to clean this. Know what Stealer malware does is it tries to hide under the radar. And so yes, if you’re using Intego Virus Barrier, you are protected from all of the malware that we’re talking about on this episode.

Kirk McElhearn 6:48
Okay, so another category is APT malware that is advanced persistent something (Threats) threats, yes, advanced persistent threats. I like when we have these terms that sound like they’re from Mission Impossible.

Josh Long 7:01
Yes. So there are a lot of different APT groups out there. And a couple of the malware families that we’ve seen this year have actually come from North Korea based APT groups, including the Lazarus group, and Blunoroff, which is somehow related to the Lazarus group, maybe a spin off or subgroup. So first, the Lazarus group came out with a Smooth Operator. So they infected some voice over IP software that’s available cross platform. And one of the platforms that they specifically targeted was the Mac. Another example is RustBucket, which was made by Blunoroff. And in that case, you had some fake PDF viewer apps that were actually malware in disguise. And so what was this malware trying to do? Well, Smooth Operator would connect to a command and control server. So basically, the idea is that the bad guys who distributed this malware would be able to communicate directly with your computers send it commands remotely and do other malicious things, whatever it was that they might want to do with your machine. With RustBucket. Most likely the the intent was to steal cryptocurrency so a yet another example of Stealer malware.

Kirk McElhearn 8:11
But these are nation state funded groups. So were their intentions also, to try and get into, I don’t know government computers.

Josh Long 8:20
It’s certainly possible. Yeah. And there may have been some specific targets for for these attacks. We don’t know who the original target was for RustBucket, because the way that this malware was was found was through something called retro hunting. So the idea being, you’re looking for particular patterns and things like that to discover new malware on an existing database like VirusTotal, for example, although the malware was discovered, it was discovered in such a way that we don’t actually know who was being targeted by this malware in the first place. (Okay, so this is some high level stuff.) Absolutely. And by the way, these are not the only examples of APT groups this year. In fact, we’ve got several examples of APT groups that are targeting iPhones this year, and most of the time we’re talking about Mac malware. But there have been several different threat actor groups. You couldn’t call them APTs because really the the way that their software works is surreptitious, it comes in through a vulnerability. These are essentially threat actors and APT groups.

Kirk McElhearn 9:23
But hasn’t Apple told us that the iPhone is the most secure computing platform on the planet?

Josh Long 9:28
Well, you know, privacy, that’s iPhone, right? I mean, that’s what Apple wants us to believe. Right? And well, you can’t have privacy without security. So therefore, it must have great security, you know, thing is with enough resources with enough time. And with enough money, you can pretty much find vulnerabilities that can affect just about any platform and potentially even zero click vulnerability sometimes, meaning that a bad guy could, for example, send a text message to your device and without you even opening the message, it could infect your device.

Kirk McElhearn 10:04
Okay, we’re gonna take a break. When we come back we’re gonna talk a little bit more about specific iPhone malware, and some other malware threats from 2023.

Voice Over 10:14
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

Kirk McElhearn 11:30
Let’s talk about some specific iPhone malware. What I really like is what you mentioned before the break these no click or no tap on an iPhone vulnerabilities, which generally occur when there’s a vulnerability in the display of an image, for example, and someone sent you an image through iMessage. And just by rendering that image, the malware gets into your phone. I just think that’s so clever.

Josh Long 11:51
Right? In particular, that image or sometimes it’s something like a PDF file very often PDF files are used for these types of attacks. And that actually brings up an interesting point. So the NSO group, which creates some commercial spyware that’s supposed to be only available to law enforcement and government agencies. They’ve used the attacks like this in the past with zero click attacks. So these are well funded attacks. If you’re using Lockdown mode, very often these attacks will get stopped. In fact, we had a story we published earlier last year, that talks about how some NSO group spyware actually got blocked by having Lockdown mode enabled. So if you aren’t particularly concerned that you might be targeted by one of these types of threat actors, then make sure to turn on Lockdown mode, you can turn it on, by the way for your iPhone, as well as your Mac. And also as of the most recent version of WatchOS you can turn it on. In fact, it will automatically be on on your Watch if you have an on for your iPhone.

Kirk McElhearn 12:54
Of course Lockdown mode is not for everyone, it does limit the things you can do with your device. But if you think you’re at risk, it is useful to turn it on.

Josh Long 13:02
Right? It turns off a lot of features, which is kind of ironic, right? But it makes sense when you consider that basically what you’re doing is you’re reducing your attack surface, you have fewer vulnerable points. And so even if someone is using a vulnerability that Apple doesn’t know about yet, it’s less likely that they’ll be able to infect your iPhone using one of these commonly vulnerable points if you have Lockdown mode on so we mentioned NSO group, other iPhone malwares come from QuadDream. There’s also TriangleDB. Now that was a pretty interesting one, because Kaspersky which is another antivirus company based in Russia, they actually discovered that they they had phones of their own employees that were infected by some malware that was called TriangleDB. And so they did a bunch of research into that and wrote several write ups about the vulnerabilities and really the chain of vulnerabilities that was used to infect their devices. That was a fascinating story this past year. And we also heard about the predator malware as well. So while the NSO group is well known for its Pegasus malware, there’s also Predator malware, which typically is like a one click attack and rather than a zero click so this is like the budget version of Pegasus.

Kirk McElhearn 14:26
That QuadDream spyware is interesting because it hacked iPhone victims using rogue calendar invites. And I like that type of approach, that it would send you an invite to a meeting or something now. Now for someone like me, I don’t have a lot of meetings. I have podcasts. I have interviews. I’ve got a handful of meetings every week. For someone in business with lots of meetings, they get their inboxes all these meetings, they click OK. And then when you go to see what’s the meeting about they click a link and boom. This reminds me of something a few years ago that used to occur in iCal, we would get iCal calendar spam and I don’t know how Apple got We’d have that. But I haven’t heard of that in many years.

Josh Long 15:02
Yeah, it doesn’t seem like that’s been much of a problem recently. That’s a good point.

Kirk McElhearn 15:06
Well, maybe Apple fixed something on the back end to prevent that from happening. So Trojan horses, I guess a lot of malware has always been Trojan horses, right? You download a Flash Player update, and you run it and install something. That’s the whole point of a Trojan horse. What have we seen this year?

Josh Long 15:22
Yeah. So finally, it seems like the bad guys are finally backing off from fake Flash Player updaters. I guess they realize that finally, they’re not working as well as they used to. Because, you know, people realize flash doesn’t exist anymore. Like when was the last time you ever like saw something in Flash? Well, it was probably three plus years ago at this point. So it hasn’t really been something that is working well for them anymore. So they’ve moved on to other things. And you know, just about any app that you can imagine, there’s probably some trojanized version of it out there, or some fake version of this app. So maybe you go to the Pirate Bay, or one of these other places that have illegitimate software. And you might think that you’re downloading some Adobe software, for example. And well, it’s not actually it’s just a Trojan horse that’s going to infect your Mac. And there are many, many examples of this, too many to list on this podcast. But every year, we see tons of examples of these Trojan horses. Again, all of this malware is something that Intego virus barrier will detect and will prevent you from accidentally installing on your computer. That’s not to say that, of course, you shouldn’t go out and try to find a legitimate software and install it on your Mac. That’s obviously still not a good idea to do that. One other Trojan horse family that we mentioned earlier, in the context of Stealer malware is something called Real Stealer. And this is actually really interesting because it disguises itself as video games. So interestingly, there’s a lot of interest apparently, among certain sections of the gamer population, that are interested in these like NFT based video games. I don’t really understand all of this, but somehow they use blockchains and non fungible tokens and NFTs. And these technologies tend to be of interest to people who also own cryptocurrency. And so we’ve seen a lot of examples of malware that is part of very sophisticated campaigns that looks like a fully legitimate playable video game. They hire people to run social media and create video content on YouTube and other platforms. And the whole purpose behind this is a very elaborate scheme to get people to install these video games that are actually just designed to steal your cryptocurrency wallets. So that’s a really fascinating example of a Trojan horse. It’s also a Stealer. But because it disguises itself as video games, it blows me away to see how much effort is put into these campaigns.

Kirk McElhearn 18:08
It’s true, but the people behind this know that people are global, and they’re looking for free stuff. And they target a group of people who coalesce around certain ideas and cryptocurrency is a really popular idea. And don’t forget that cryptocurrency for the most part, is a get rich quick scheme. So a lot of people are thinking that anything to do with cryptocurrency is going to be a way to make some money. It’s not like they’re seriously into the whole libertarian idea of a non fiat currency. Okay, speaking of scams, like cryptocurrency, we’ve seen a lot of scam apps this year, and some of these in the Mac App Store and the iOS App Store. And we know that Apple has to approve a lot of apps for these app stores. But they don’t seem to be doing well enough to get rid of scam apps, some of which piggy back on well known names in order to get lots of downloads really quickly. Fortunately, there are a few researchers who pay attention to this. And it’s as if Apple only finds out about these scam apps, through these researchers publicizing the apps that they’ve discovered.

Josh Long 19:10
Right. And as some specific examples of apps that we’ve seen in the iOS App Store this past year, there was an app that was designed to look like Threads. So Meta-slash-Instagram-slash-Facebook launched a new social network called Threads in the past year. And there was already like almost immediately an app that was designed to look like Threads, but it wasn’t actually Threads. And that was available in the App Store. And interestingly, the real Threads social network did not launch in the EU at first. And this fake app was available in the App Store in the EU. So it was very possible that a lot of people from the EU were looking for this app, the real legitimate app and only saw this one and assume that this must be the one that they were looking for when in fact, it wasn’t another example of scam apps in the App Store that were designed to take advantage of popular names of companies and apps. There was a as soon as xAI launched its Grok AI chat bot. There were already xAI named apps in the App Store. Some of them even use the exact like, you know, lowercase x capital AI, just like the real xAI company. And there were several examples of these not not only in the iOS App Store, but also a couple of these apps could be run on iPadOS, which means that you could also run them on MacOS, you might remember that it’s possible to run iPad apps on a Mac as well. Not only that, but there were also some of these apps available in the Google Play Store. So if you’re an Android user, you could have also come across some of these very same apps that were distributed in multiple stores. By the way, there’s a whole other category that we haven’t even really talked about of iOS scam apps, and that is these loan apps. So there are a lot of fraudulent loan apps. Not so common in necessarily in like the United States. But in many countries, for example, India, loan apps are a very common thing. In many of these territories. These scam apps are popping up constantly, like almost as soon as one gets taken down. Another one pops up. One particular researcher who has done a lot of investigation into these apps, and has reported a lot of apps to both Apple and Google has come across so far, as of today, 322, scam apps in the App Store of the loan scam app variety.

Kirk McElhearn 21:49
Right. And it shows that Apple isn’t trying too hard or that the scammers are just more efficient than Apple. Before we finish, it’s not entirely malware. But we’ve seen some interesting invoice phishing attacks. We’ve talked about this on the podcast, and I need to go back security blog. These are phishing groups that are leveraging existing platforms. We’ve seen this with Intuit QuickBooks, we’ve seen this with PayPal, and they’ll send you invoices, often for the Best Buy Geek Squad, which is kind of like an Apple Care type subscription, around $350. And it says, If you don’t agree with this charge, call this number. And you did an interesting test by calling one of those numbers to see how the scammers reacted.

Josh Long 22:32
That’s right. And it turns out that the main goal of these attacks is most likely to steal money from people’s bank accounts. The idea is that they convince you that you’ve got some charge that needs to be reversed in your bank account. And so they have you log into your bank account. Meanwhile, they’re watching you do all of this because they’re connected through a remote access helper tool, right? To help you through this process and to identify where this charge might have been. So they can help you reverse the charge. And of course, you don’t see the charge because obviously this is a fraudulent invoice. And so they convince you Oh, okay, well, you know, call us back in in 20 minutes, and we’ll try again. Meanwhile, they leave the connection active. And so as soon as you walk away from your computer, now they’re able to transfer money out of your account. And they may also do other things like implant malware on your computer, or who knows what else they’ve got access to your computer.

Kirk McElhearn 23:32
Okay, that’s a lot of malware for 2023. I predict we’re going to have a lot of malware for 2024. I’m curious if we’re going to see malware that attacks the vision Pro. We’ll find out in a few months.

Josh Long 23:45
That would be really interesting. I think we can pretty much guarantee that we’re gonna see a ton more Stealer malware. This was really common on the Mac in 2023. We’re definitely going to see a lot more of this in 2024 as well as APT malware. We know that the sophisticated threat actors like targeting the Mac every single year and in the past several years, we’ve seen new APT malware on the Mac 2024 I’m sure it’s going to be no exception to that.

Kirk McElhearn 24:12
Okay, until next week, Josh stay secure.

Josh Long 24:14
All right, stay secure.

Voice Over 24:17
Thanks for listening to the Intego Mac Podcast—the voice of Mac security—with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →