21 New Mac Malware Families Emerged in 2023

  

    In the cybersecurity landscape of 2023, Patrick Wardle, an Apple security specialist, unveiled the discovery of 21 new malware families explicitly engineered to target macOS systems. Analyzing the surge in malicious activities against Apple devices, Wardle's findings indicate a significant uptick of over 50% compared to the previous year.

Each of these newly identified malware families is meticulously detailed in Wardle's blog post, offering insights into their infection vectors, persistence mechanisms, features, and ultimate purposes. Furthermore, Wardle provides access to samples of these malware, allowing for a deeper understanding of their functionalities.

Among the array of macOS malware uncovered in 2023, ransomware made its presence felt with the emergence of a Mac version of the LockBit file encryptor and a ransomware strain named Turtle. While their impact on macOS users was limited at the time of discovery, their existence highlights cybercriminals' sustained interest in targeting Apple devices.

The predominant category among the newly discovered macOS malware was information stealers, designed to assist threat actors in collecting and exfiltrating sensitive data from compromised devices. This includes the pilfering of passwords, cookies, and cryptocurrency wallets. Notable infostealers identified in 2023 encompass PureLand, Realst, MetaStealer, AtomicStealer (AMOS), JaskaGO, MacStealer, and GoSorry.

In the realm of Advanced Persistent Threat (APT) activities, 2023 witnessed increased Mac-focused malware development, primarily attributed to threat actors associated with North Korea. Malicious creations such as SmoothOperator, RustBucket, KandyKorn, ObjCShellz, as well as FullHouse.Doored, StratoFear, and TieDye malware, which played a role in the JumpCloud attack, underscore the evolving sophistication of APT groups.

Other noteworthy additions to the roster of macOS malware in 2023 include the SparkRAT backdoor, the Geacon backdoor, and the WSClient proxy. Furthermore, the cybersecurity industry identified the iWebUpdater backdoor and updater (with a five-year history), new variants of the CoinMiner and XLoader malware, and reports hinting at a potential macOS version of the Triangulation implant. Researchers also noted advertisements for macOS malware named hVNC and ShadowVault, although they have yet to be observed in real-world scenarios. These revelations signal an evolving threat landscape demanding heightened vigilance in safeguarding macOS systems.