9to5Mac Security Bite is brought to you exclusively by Mosyle, Apple’s only unified platform. Everything we do is about ensuring Apple devices are enterprise-ready and secure. Our unique, end-to-end approach to management and security combines Apple’s most advanced security solutions for fully automated hardening and compliance, next-generation EDR, AI-powered Zero Trust, and exclusive privilege management with Apple’s most powerful and advanced MDM on the market. The result is a fully automated, unified platform that’s now trusted by over 45,000 organizations to make millions of Apple devices enterprise-ready, effortlessly, and affordably. Request an EXTENDED TRIAL today and see why Mosyle is all you need for your Apple experience.
In this week’s Security Bite, Apple device management and security leader Mosyle exclusively revealed details about a new family of Mac malware downloaders to 9to5Mac. Mosyle’s security research team discovered that these new threats are written in unconventional programming languages and use several other clever techniques to evade detection.
A malware downloader is essentially a foot in the door for cybercriminals. Its main goal is to secretly establish an initial presence on a system and create a path for downloading more malware.
The new downloader samples discovered earlier this month were developed using Nim, Crystal, and Rust — programming languages that are not typically used to develop malware. Objective-C, C++, and Bash were the most common. This unusual approach suggests that the attackers are intentionally trying to evade traditional antivirus detection methods.
While this approach is stealthy, I doubt it will become a widespread trend. Using less popular programming languages like Nim or Rust is difficult for cybercriminals to penetrate. These languages likely have more complex compilation processes than tried-and-true options like C and Bash, and they come with fewer pre-built libraries and tools. The steeper learning curve and more difficult debugging mean that criminals are more likely to accidentally leave digital breadcrumbs that could expose their malware. After all, even cybercriminals want their code to run smoothly, and these experimental languages are making that task much more difficult right now.
Other evasion tactics we’ve seen include:
- Persistence via macOS launchctl mechanism
- Multi-hour sleep intervals
- Directory checks before data transfers
According to Mosil's research, the malware campaign is in its early stages and may be aimed at reconnaissance. Telemetry data indicates that the samples originated from systems in Bulgaria and the United States.
Most worryingly, the samples remained undetected by VirusTotal for several days after their initial discovery.
Here are the hashes of the three malware samples and their corresponding command and control (C2) domains:
Nim sample
C2 Domain: strawberryandmangos[.]com
Hash: f1c312c20dbef6f82dc5d3611cdcd80a2741819871f10f3109dea65dbaf20b07
Crystal sample
C2 Domain: motorcyclesincyprus[.]com
Hash: 2c7adb7bb10898badf6b08938a3920fa4d301f8a150aa1122ea5d7394e0cd702
Rust Sample
C2 Domain: airconditionersontop[.]com
Hash: 24852ddee0e9d0288ca848dab379f5d6d051cb5f0b26d73545011a8d4cff4066
The Mosyle security team continues to actively monitor and investigate these threats. I will continue to provide updates here as we learn more. [.] are intended to help prevent domains from being actively pushed. The Moysle team told me that these C2 servers may still be active.
Read more: Ransomware groups surge in Q3 2024, and dominance shifts
Follow Arin: Twitter/X, LinkedIn, Threads
