A cyber espionage group has been using malware named MacDownloader to steal credentials and other data from Mac computers.
The malware ended up discovered and analyzed by Claudio Guarnieri and Collin Anderson, researchers specializing in Iranian surveillance and espionage campaigns targeting human rights, foreign policy and civil society entities.
MacDownloader, disguised by attackers as a Flash Player update and a Bitdefender adware removal tool, ended up created at the tail end of last year.
The attackers were able to pull coded from from other sources. Researchers believe this could be an amateur developer’s first attempt at creating a piece of malware.
When Guarnieri and Anderson conducted their analysis, the malware did not appear on any of the security products on VirusTotal. Right now, however, 12 vendors flagged the fake Flash Player and Bitdefender apps as malicious.
Researchers first found MacDownloader on a fake website of aerospace firm United Technologies Corporation, which had previously delivered Windows malware. The same host had also deployed the Browser Exploitation Framework (BeEF) on sites apparently belonging to the U.S. Air Force and a dental office.
While the attacks targeted the defense industrial base sector, the researchers are aware of reports it ended up used against a human rights advocate.
The macOS malware appears to link to Charming Kitten, aka Newscaster and NewsBeef, an Iranian attacker known for creating fake personas on social networking websites in an effort to harvest information from targeted individuals in the U.S., Israel, the UK, Saudi Arabia and Iraq. Charming Kitten is also known for using BeEF.
Once it infects a device, the malware harvests information about the system, including processes and applications, and collects passwords stored in the Keychain. The Windows malware used by the group is similar, collecting saved credentials and browser history from Chrome and Firefox.