Two malware threats that began on Windows—GravityRAT and IPStorm—are now available for Mac, Android, and Linux, too.
So what does each malware family do? And what does this mean for the future of Mac malware? Read on for details.
In 2018, GravityRAT was ported to Android. The malware maker used the source code of a legitimate Android mobile app called Travel Mate, and added malicious code and distributed it as “Travel Mate Pro.” The real Travel Mate is an app designed for people who travel in India.
As reported by Securelist, GravityRAT malware has more recently been discovered masquerading as “Enigma,” a supposed secure file sharing app that claims to somehow protect against ransomware. First seen on Windows in September 2019, Enigma has also been ported to macOS.
Other Windows and Mac variants of this Trojan have been distributed under the pretend product names “OrangeVault,” “StrongBox,” and “TeraSpace.”
The latest variant targets devices running UNIX-like operating systems, including Linux, Android-based TV boxes, and Darwin—the core of macOS.
IPStorm spreads itself by conducting dictionary-based, brute-force password guessing attacks against SSH servers, and also by accessing open Android Debug Bridge (ADB) ports.
While the ultimate intentions of the malware maker and botnet master is unknown, an estimated 13,500 devices are believed to be infected worldwide, across at least 84 different countries. Fifty-nine percent of infected devices are located in Hong Kong, South Korea, or Taiwan.
Nevertheless, it’s very interesting to see IPStorm and GravityRAT, two unrelated Windows malware families, making their way to Mac in such a short span of time.
Is this a sign of things to come? Probably.
The Mac operating system’s market share has more than doubled over the past seven years, according to data from Statista. Moreover, we’ve seen a continuous increase in Mac malware in recent years.
We’ve even seen state-sponsored attackers that historically made Windows malware beginning to target macOS, as was the case with Lazarus malware as part of Operation AppleJeus in 2018.
Windows malware developers are likely noticing these trends, and for these and other reasons, Macs are becoming an ever more interesting target for cybercriminals.
Note: Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected. It is best to upgrade to the latest version of VirusBarrier and macOS if possible to ensure your Mac gets all the latest security updates from Apple.
The following are some known SHA-256 hashes of malicious Mac files from these malware families.
GravityRAT: 65EEF61BA8FC477771BCF37A1C6DF5EA636EF61AC29187D49EB13BA93C228E9A 84D6372141166F87DE9C557E030B866AFFAEB726D66DA204B0A711B1167C83BE C29BEEDDFF66D825E9A813B5BBFECA513AEC5E4BA3CF1A45284EED9E2A9DFE0E IPStorm: 4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1
For more technical details about this malware, you can refer to Securelist’s write-up of GravityRAT and Barracuda’s write-up of IPStorm.
You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 
GravityRAT logo header image based on: “Newton’s apple” by Alexander Borek (CC BY-SA 4.0) and “Vector Illustration of Long-Tailed Rodent Rats Sniff the Air,” Designed by Wannapik (CC BY); both images modified.
