Macos Malware



We design Mac hardware and software with advanced technologies that work together to run apps more securely, protect your data, and help keep you safe on the web. And with macOS Big Sur available as a free upgrade, it’s easy to get the most secure version of macOS for your Mac.*

Malwarebytes said there was a 400 percent increase in threats on Mac devices from 2018 to 2019, and found an average of 11 threats per Mac devices, which about twice the 5.8 average on Windows. MacOS has many features that help protect your Mac and your personal information from malicious software, or malware. One common way malware is distributed is by embedding it in a harmless-looking app. You can reduce this risk by using software only from reliable sources.

Apple M1 chip.
A shared architecture for security.

Macos Malware Scanner

The Apple M1 chip with built-in Secure Enclave brings the same powerful security capabilities of iPhone to Mac — protecting your login password, automatically encrypting your data, and powering file-level encryption so you stay safe. And the Apple M1 chip keeps macOS secure while it’s running, just as iOS has protected iPhone for years.

Apple helps you keep your Mac secure with software updates.

The best way to keep your Mac secure is to run the latest software. When new updates are available, macOS sends you a notification — or you can opt in to have updates installed automatically when your Mac is not in use. macOS checks for new updates every day and starts applying them in the background, so it’s easier and faster than ever to always have the latest and safest version.

Protection starts at the core.

The technically sophisticated runtime protections in macOS work at the very core of your Mac to keep your system safe from malware. This starts with state-of-the-art antivirus software built in to block and remove malware. Technologies like XD (execute disable), ASLR (address space layout randomization), and SIP (system integrity protection) make it difficult for malware to do harm, and they ensure that processes with root permission cannot change critical system files.

Download apps safely from the Mac App Store. And the internet.

Now apps from both the App Store and the internet can be installed worry-free. App Review makes sure each app in the App Store is reviewed before it’s accepted. Gatekeeper on your Mac ensures that all apps from the internet have already been checked by Apple for known malicious code — before you run them the first time. If there’s ever a problem with an app, Apple can quickly stop new installations and even block the app from launching again.

Stay in control of what data apps can access.

Apps need your permission to access files in your Documents, Downloads, and Desktop folders as well as in iCloud Drive and external volumes. And you’ll be prompted before any app can access the camera or mic, capture keyboard activity, or take a photo or video of your screen.

FileVault 2 encrypts your data.

With FileVault 2, your data is safe and secure — even if your Mac falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption. Mac computers built on the Apple M1 chip take data protection even further by using dedicated hardware to protect your login password and enabling file-level encryption, which developers can take advantage of — just as on iPhone.

Designed to protect your privacy.

Online privacy isn’t just something you should hope for — it’s something you should expect. That’s why Safari comes with powerful privacy protection technology built in, including Intelligent Tracking Prevention that identifies trackers and helps prevent them from profiling or following you across the web. A new weekly Privacy Report on your start page shows how Safari protects you as you browse over time. Or click the Privacy Report button in your Safari toolbar for an instant snapshot of the cross-site trackers Safari is actively preventing on that web page.

Automatic protections from intruders.

Safari uses iCloud Keychain to securely store your passwords across all your devices. If it ever detects a security concern, Password Monitoring will alert you. Safari also prevents suspicious websites from loading and warns you if they’re detected. And because it runs web pages in separate processes, any harmful code is confined to a single browser tab and can’t crash the whole browser or access your data.

Find your missing Mac with Find My.

The Find My app can help you locate a missing Mac — even if it’s offline or sleeping — by sending out Bluetooth signals that can be detected by nearby Apple devices. These devices then relay the detected location of your Mac to iCloud so you can locate it. It’s all anonymous and encrypted end-to-end so no one — including Apple — knows the identity of any reporting device or the location of your Mac. And it all happens silently using tiny bits of data that piggyback on existing network traffic. So there’s no need to worry about your battery life, your data usage, or your privacy being compromised.

Keep your Mac safe.
Even if it’s in the wrong hands.

All Mac systems built on the Apple M1 chip or with the Apple T2 Security Chip support Activation Lock, just like your iPhone or iPad. So if your Mac is ever misplaced or lost, the only person who can erase and reactivate it is you.

Macos Malware

macOS Security

A new malicious package has been spotted this week on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems.

The malicious package is called 'web-browserify,' and imitates the popular Browserify npm component downloaded over 160 million times over its lifetime.

web-browserify is itself built by combining hundreds of legitimate open-source components, and performs extensive reconnaissance activities on an infected system.

Macos Malware

Moreover, as of today, the ELF malware contained with the component has a zero detection rate by all leading antivirus engines.

Spawns a persistent, ELF executable on install

This week, a malicious component 'web-browserify' was found on the npm registry.

The component was detected by Sonatype's automated malware detection system, Release Integrity, and deemed malicious after analysis by the Sonatype security research team, that I'm a part of.

'web-browserify' is named after the legitimate Browserify component that scores over 1.3 million weekly downloads and used over by 356,000 GitHub repositories.

The malicious component, 'web-browserify' in contrast is just shy of 50 downloads—before it was pulled from npm within two days of its publishing.

'web-browserify' is created by a pseudonymous author describing themselves to be Steve Jobs.

The package consists of a manifest file, package.json, a postinstall.js script, and an ELF executable called 'run' present in a compressed archive, run.tar.xz within the npm component.

As soon as 'web-browserify' is installed by a developer, the scripts extract and launch the 'run' Linux binary from the archive, which requests elevated or root permissions from the user.

Macos Malware

The extracted run binary is approximately 120 MB in size and has hundreds of legitimate open-source npm components bundled within it, that are being abused for malicious activities.

For example, one such component is the cross-platform 'sudo-prompt' module that is used by run to prompt the user for granting the malware root privileges on both macOS and Linux distributions.

Because elevated privileges would be requested almost at the same time 'web-browserify' was being installed, the developer may be misled into believing that it is the legitimate installer activities requiring elevated permissions.

As seen by BleepingComputer, once the ELF acquires elevated permissions, it gains persistence on the Linux system and copies itself to /etc/rot1 from where it subsequently runs on every boot:

Phones home with your info to an 'example' domain

The malware has advanced reconnaissance and fingerprinting capabilities.

It uses another legitimate npm component, systeminformation, to collect the following bits of information from the infected system:

  • System username
  • operating system information, such as manufacturer/brand
  • Information on Docker images
  • Bluetooth-connected devices
  • Virtual Machines present on the system or if virtualization is enabled
  • CPU speed, model, and cores
  • RAM size, hard drive capacity, disk layout, system architecture
  • Hardware information regarding network cards/interfaces, battery, WiFi, USB devices, etc.

Macos Malware Reviews

As confirmed by BleepingComputer at least some of this fingerprinting information is exfiltrated to an attacker-controlled domain over a plaintext (HTTP) connection, as GET parameters:

Of particular note is the domain used by the attacker for carrying out these activities:

Although at the time of our analysis, BleepingComputer observed the server where the domain points to is responding with a 404 (not found), the word ejemplo means 'example' in Spanish.

A domain such as ejemplo.me can therefore easily be mistakenly conflated with legitimate test domains, such as example.com cited by applications and their documentation.

Additionally, under certain circumstances, the malware attempts to remove the contents of the /etc/ directory and disable critical Unix services by tampering with the systemctlutilityand the systemd directory.

Zero VirusTotal detection rate

Despite the malware engaging in outright nefarious activities by abusing legitimate open-source components, it has a perfect zero score on VirusTotal, at the time of our analysis.

The fact that it uses genuine software applications to perform shady activities could be one of the reasons that no antivirus engine has been able to flag this sample yet (the sample itself was submitted to VirusTotal on April 10th, 2021).

It also remains a mystery as to why, the 'web-browserify' component, although caught by Sonatype, was unpublished by its author almost two days later after its initial publishing.

The discovery of yet another npm malware comes after dependency confusion malware was seen targeting known tech companies.

The full extent of capabilities contained within this malware and its definite purpose are yet to be determined.

Macos Malware Scan

But, the malware's zero-detection rate and the fact it capitalizes on legitimate open-source components, including the popular Browserify, should raise everyone's eyebrows for what the next iteration of such an attack might look like.

Related Articles: