A team of ethical hacking specialists from security firm Confiant has revealed the discovery of a new malware variant for Mac devices. Dubbed Tarmac, this strain is distributed through some malicious advertising campaigns in countries such as the US, Japan and Italy.
In their report, the researchers mention that it all starts using malicious advertising, which redirects the victim to an infested pop-up site offering commonly used software updates (Adobe Flash Player, for example). When the victim downloads and runs these alleged updates, the MacOS OSX/Shlayer malware is installed, which will eventually run the OSX/Tarmac payload.
“This is obviously a fake Adobe installation signed with an Apple developer certificate (2L27TJZBZM). This certificate was issued by Fajar Budiarto, a fake entity,” the ethical hacking experts added.
This campaign was detected since January 2019, although at that time researchers had not detected Tarmac’s malicious code. It is very common for malware developers to sign their creations with Apple developer certificates, as it is easier than other methods and allows their code to bypass some of the most commonly used security implementations in a system, such as XProject or Gatekeeper.
In the report, experts note that the command and control (C&C) servers of the campaign operators were inactive at the time of the investigation, adding that the malware samples analyzed were somewhat old. However, it is likely that criminals have only changed infrastructure and this campaign will remain active.
The analyses were performed when the C&C servers were already down, so it was not possible for experts to know all the features of the malware. “We know that Tarmac collects information about the target system and send it to the hackers, although we don’t know which commands this malware supports,” the ethical hacking experts added.
Although it does not seem like an overly sophisticated tactic, experts from the International Institute of Cyber Security (IICS) claim that the use of malicious advertising and pop-ups remains highly effective for the distribution of this kind of malware. As a security measure, users are advised to avoid clicking on suspicious links that could redirect them to malicious pages.