Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Flashback Trojan Puts Mac Malware Back on Stage

Flashback Mac Trojan Cloaks Itself as Adobe Flash Update, Opens Backdoor to Mac OS Systems

It has been a busy few days in the world of Mac malware.

Flashback Mac Trojan Cloaks Itself as Adobe Flash Update, Opens Backdoor to Mac OS Systems

It has been a busy few days in the world of Mac malware.

The week opened with a report that Apple had updated its blacklist of known malware to include the Trojan dropper Revir, and it is closing with reports about the spread of a new Trojan known as Flashback. While Revir disguised itself as a PDF file, Flashback cloaks itself as a Flash Player update.

While Mac security firm Intego initially the Trojan was not widespread, it has since noted an uptick in reports of infections.

According to Intego, the Trojan is spreading via malicious Websites.

“The first things you see are the crashed plugin graphic and the purported error messages,” the company explained in a blog post. “After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow “safe” downloads to open automatically – you will see an Installer window open.” (Image Below)

Flashback Trojan Malware for Mac

Users with the default Safari browser settings – which allow “safe” downloads to open automatically – will see an Installer window open. If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software (code in this malware specifically targets and deactivates Little Snitch, but has no effect on Intego VirusBarrier X6), and, after installation, will delete the installation package itself.

The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches.” The malware also installs a backdoor at ~/Library/Preferences/Preferences.dylib that communicates with a remote server and sends and receives data using RC4 encryption, according to Intego.

Advertisement. Scroll to continue reading.

“This is effective social engineering,” Intego noted on its blog post. “Savvy Mac users will not be fooled, because they know that a Flash installer would never appear in this manner, but two things make this approach believable. First, Flash Player is not installed on Mac OS X Lion, so users will need to install it themselves if they want to view Flash content on the web. Second, if they do have Flash Player installed, and have set the Flash Player preference pane (in System Preferences) to automatically check for updates, they may think that this is an update alert…So this can easily fool many Mac users into downloading the malware.”

Just how users are being lured to the sites was not mentioned by Intego. However, Graham Cluley, senior technology consultant at Sophos, called it easy to imagine.

“For instance, it would be child’s play to create a website which pretends to show something salacious (“Scarlett Johansson nude video!” would probably do well at the moment, for instance) and then when you try to view it, you’re prompted to install an update to Adobe Flash. Of course, rather than the genuine Flash you would be installing the Trojan horse,” he blogged. “Similar tricks have certainly worked well in the past – against both Windows and Mac users.”

“We all know that there is much… more malware written for Windows than there is for Mac OS X,” he added. “But that doesn’t mean it’s non-existent, and it’s no excuse for leaving Apple Macs unprotected.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.