Home Malware Programs Mac Malware iWorm

iWorm

Posted: December 3, 2019

iWorm is a backdoor Trojan targeting OS X systems. iWorm gives attackers control over your PC through a concealed backdoor and is notable for abusing Reddit forums for part of its C&C communications. Users of OS X should avoid illegitimate Flash updates and let their compatible anti-malware tools delete iWorm immediately, in most circumstances.

A Trojan with Creative Abuses for Forum Posts

While Mac-oriented Trojan campaigns and infections are a minority, dwarfed by their Windows counterparts, the few that do exist are similar to one another notably. For example, iWorm – a backdoor Trojan, rather than a worm – of 2014-2016 uses standard persistence exploits for the OS X environment while delivering equally-unsurprising invasion and control capabilities over to its handlers. If there's anything that stands out about iWorm, it's not what it does, but a portion of how it chooses to do it: with the help of social media.

iWorm is a backdoor Trojan whose command-executing features imply a botnet structure that takes over randomly-attacked OS X computers and recruits them as 'zombies' for DDoSing, cryptocurrency mining or pay-per-click fraud. Although iWorm uses regular Web servers for its Command & Control contacts, from which it receives its instructions, there is an interesting detail in how it does so. Instead of having hard-coded IP addresses or a more conventional form of dynamic address book, iWorm gets its addresses from a Reddit sub-forum that provides Minecraft server lists. Fortunately, the sub-forum is no longer operational – meaning that iWorm is a crippled threat without any long-term persistence.

However, iWorm's payload includes numerous features that show that its admins intended to make abusive use of infected OS X computers. The Trojan could download files automatically, execute Lua scripts, perform traffic-relaying activities, update its botnet information, and transfer over system information to attackers.

How Your Flash Patch Opens Up an Unwanted Door

iWorm's old campaign made use of a social engineering tactic leveraging Adobe's reputation for credibility. These fake Flash updates deliver iWorm through pop-ups with appropriate logos and related imagery, although, in some instances, the attempt failed due to unanalyzed bugs. Interestingly, iWorm isn't a port of a previous threat for another OS, and no versions of it appear extant for Windows, Linux, etc.

Malware researchers find most iWorm infections centering around the United States, Canada, or the United Kingdom, in that order of prominence. Others are, however, active in other nations throughout the world. Mac OS X users should avoid unsafe update resources – pop-ups from advertising networks or non-Adobe-endorsed websites, particularly – and scan all downloads before opening them.

Compatible anti-malware tools may delete iWorm or quarantine it safely for further analysis by security researchers. iWorm's hijacking of a legal business service isn't the only time this has happened, but its implementation is a somewhat novel one. Any helpful tool, even something as simple as a forum for talking to others, can become a weaponized danger to others when hackers put their minds to it.

Related Posts

Loading...