Researchers See Links Between Iran and Mac MalwareMacDownloader Engineered to Steal Passwords from macOS's Keychain
Bad news: A half-finished sample of new Mac malware recently appeared on the desktop of a human rights advocate. But the good news, researchers say, is that the malware is sloppily written, and thus poses little risk to users. Circumstantial technical evidence links the malware to Iran, which information security watchers believe has an active cyber offensive program.
That analysis comes via computer security researchers Claudio Guarnieri and Collin Anderson, who both track developments in suspected state-sponsored attacks against dissidents and government censorship of the internet.
Their malware analysis, published Feb. 6, suggests that the malicious code in question, called MacDownloader, was built by a group nicknamed Charming Kitten, which they believe is connected to Iranian security companies.
The human rights community in Iran tends to put more faith in the security of the Apple products because they're generally targeted less than Windows devices, the researchers write. But that belief could result in targets underestimating the information security risks they face. "While this agent [malware] is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers with certain communities and inaccurate perceptions about the security of those devices," they write.
To get infected, a victim would have to continue to click on menu dialogues in order to install it. Still, as of the researchers' blog post, no vendors on VirusTotal - a free service that subjects suspected malware to multiple anti-virus scanners - were detecting it.
Charming Kitten's Messy Code
MacDownloader, however, is a mess. It's full of typos and grammatical errors, which is a strong sign to any user that an application isn't legitimate. In this case, the application first presents itself as an update for Adobe System's Flash multimedia application and gives users the option of closing out the related installation dialogue box. If users close the box, the malware does indeed exit.
But if a victim opts to install the bogus update, a different dialogue box appears that says adware was discovered on the computer. It's the type of warning that would typically come from a security application, rather than from a Flash update.
"We believe MacDownloader was originally designed as a fake virus removal tool and in order to fit a particular social engineering attempt; it was later repackaged as a fake Flash Player update," the researchers write.
When running, MacDownloader profiles a computer and tries to collect credentials from the keychain, macOS's built-in password manager.
Linked to Iranian Government?
The researchers believe MacDownloader has a strong connection to Iran, based on command-and-control data, strings in its code and how it was distributed.
The malware was first spotted on a website for a bogus company called United Technologies Corp. The company appears to have been created in order to target the defense industry, offering fake courses for employees of Lockheed Martin, Raytheon and Boeing. Researchers say the website was previously used as part of a spear-phishing campaign that sent emails laden with Windows malware.
The potential connection to Iran comes via metadata in MacDownloader's code, the researchers say. In particular, the bundle identifier, which lists the application's developer, is listed as "zenderod," which the researchers say may be a reference to the Zayandeh River that runs near Isfahan, Iran.
The transliteration of the river's name is also close to the domain name of a software and hosting company near Isfahan called Novin Pardaz Zenderod, which originally used the "zenderod.ir" domain name.
"We contacted an individual listed as the administrative contact for Novin Pardaz Zenderod, and they denied producing macOS software or association with the malware," the researchers write.
They also found files that had been uploaded to a command-and-control server that originally came from a Macbook Pro that had been infected with MacDownload. The files included references to two wireless networks whose names have been linked to an Iranian group that defaces websites, as well as another name previously found in a sample of Windows malware, both of which appear to be connected to pro-Iran groups that are "involved in state-aligned campaigns."