Confiant found that malicious ad campaigns in the US, Italy and Japan were spreading the Tarmac malware, targeted at MacOS users.The goals of the wrecker, as well as its functionality, have not yet been fully studied.
“Cyber criminals, APT groups, nation state actors, are extensively targeting Apple iOS/MacOS devices for various reasons: continuous innovation and development of Apple platforms leads ultimately to new attack surfaces (and more 0-days sold in the underground)”, — report Confiant specialists.
The attack begins with the malicious ad launching the malicious code in the victim’s browser and redirecting it to a site that displays pop-ups stating that the user needs to urgently install a software update (usually this is Adobe Flash Player). The users who fall into this trick, of course, receive not an update, but two malware at once: OSX/Shlayer, as well as OSX/Tarmac.
According to Confiant, this Shlayer and Tarmac ad campaign has been active since January of this year. It is noteworthy that the company’s researchers wrote about Shlayer last winter, but then they could not find Tarmac.
“Confiant detected and analyzed OSX/Shlayer since January 2019, originating from a malvertiser that Confiant have dubbed VeryMal. It’s estimated based on the scope of our coverage that as many as 5MM visitors maybe have been subject to this recent malware campaign”, — explain Confiant specialists.
Now, experts have supplemented their report on this still active campaign and its payload.
Tarmac acts as a payload of the second phase of infection, that is, it comes into play after Shlayer. All versions of Tarmac discovered by the researcher turned out to be relatively old, and the management servers did not work by the time the malware was discovered (most likely, they were moved to another place). This made it difficult to analyze the threat, and the researchers were not able to fully understand how Tarmac works.
At the moment, it is known that Tarmac is ultimately installed on the Shlayer-infected hosts, which collects information about the victim’s settings and equipment, and then transfers this information to its managing server. After the malware is waiting for new commands, but since the C&C servers did not work, it was not yet possible to determine the functionality of the malware. Experts believe that the threat can be very dangerous, able to download and install additional applications, and are going to continue the study.
Researchers add that Tarmac payloads are signed with legitimate Apple developer certificates, and as a result, Gatekeeper and XProtect do not stop the installation of the malware and do not display any warnings.