A cyber espionage group linked to Iran has been using an unsophisticated piece of malware named MacDownloader to steal credentials and other data from Mac computers.
The malware was analyzed by Claudio Guarnieri and Collin Anderson, researchers specializing in Iranian surveillance and espionage campaigns targeting human rights, foreign policy and civil society entities.
MacDownloader, disguised by attackers as a Flash Player update and a Bitdefender adware removal tool, was created towards the end of 2016. Much of the code has been copied from other sources and experts believe this could be an amateur developer’s first attempt at creating a piece of malware.
When Guarnieri and Anderson conducted their analysis, the malware had not been known to any of the security products on VirusTotal. At the time of writing, nearly a dozen vendors have flagged the fake Flash Player and Bitdefender apps as malicious.
MacDownloader was first spotted on a fake website of aerospace firm United Technologies Corporation, which had previously delivered Windows malware. The same host had also been used to deploy the Browser Exploitation Framework (BeEF) on sites apparently belonging to the U.S. Air Force and a dental office.
While the attacks observed by Guarnieri and Anderson appear to be targeted at the defense industrial base sector, the experts are aware of reports that it has also been used against a human rights advocate.
Evidence suggests that the macOS malware is tied to Charming Kitten, aka Newscaster and NewsBeef, an Iranian threat actor known for creating fake personas on social networking websites in an effort to harvest information from targeted individuals in the US, Israel, the UK, Saudi Arabia and Iraq. Charming Kitten is also known for using BeEF.
Once it infects a device, the malware harvests information about the system, including processes and applications, and collects passwords stored in the Keychain. The Windows malware used by the group is similar, collecting saved credentials and browser history from Chrome and Firefox.
While its code shows that the developers of MacDownloader have attempted to implement remote update and persistence capabilities, these mechanisms don’t appear to be functional.
Researchers have found links between MacDownloader and other threat actors believed to be located in Iran, including the Iran Cyber Security Group, which specializes in defacing websites, and Flying Kitten (aka Rocket Kitten), which is known for targeting organizations in the Middle East and NATO countries.