Home Malware Programs Mac Malware MacDownloader

MacDownloader

Posted: December 2, 2019

MacDownloader is a Trojan downloader that also collects some information from your computer, including system data and user credentials. MacDownloader targets macOS users with campaigns focusing on military workers and contractors through selectively compromising themed websites typically. Users should monitor their browsers for any behavior that fits the Trojan's tactics and use anti-malware products for protecting the computer or removing MacDownloader.

The Attack You Have to Accept with Open Arms

In 2017, Apple OS users came under assault by way of a phishing website. The threat that it sent out to these open arms was a Trojan downloader, MacDownloader, albeit one with crippled functionality. It also had unusually-strict requirements for succeeding at the rest of its payload: needing the user's consent and personal information at multiple steps.

Cyber-security experts and malware researchers, as well, suspect that MacDownloader began its life as a different tactic, disguising itself as being a fake Bitdefender update. Users visiting the compromised website see various pop-ups, including Flash update alerts and Bitdefender warnings that claim that they've caught an old worm (which they also classify, incorrectly, as being spyware). Unlike most phishing attacks, MacDownloader's attempts don't use formatting that's very similar to that of either Bitdefender or a Flash update.

Users accepting these 'updates' also get a second request for name and password information. This highly-unusual step is the most threatening in MacDownloader's installation routine. Filling it out provides the Trojan with both the user's name and password, as well as keychain files that contain other passwords and credentials. MacDownloader tries to upload this information to its (currently down) server automatically, along with various system statistics.

Very strangely, users can stop this attack at any point. If they close the windows or cancel any of the above requests, MacDownloader ceases the installation routine. This failsafe-omitting limitation is relatively unique – and a sign that the threat actor put surprisingly little development effort into MacDownloader's campaign.

A Download that Doesn't Have to Happen

While its espionage targets military-related companies like Boeing and Lockheed Martin, MacDownloader is, otherwise, not very professional and compares poorly to modern-day equivalents like the Lambert family. Users familiar with the visuals of Flash update UIs should detect this threat as a tactic, even without taking notice of the random switches between Flash and security software-themed elements. Finally, MacDownloader does a poor job of justifying its requests for a password and includes multiple grammar errors in its English texts.

In 2017, the buggy version of MacDownloader couldn't live up to its name of downloading and installing a persistent threat. Any new attacks are likely to update MacDownloader with appropriate functionality, along with re-enabling the C&C server that receives collected intelligence. Malware experts also find it possible that further MacDownloader attacks will include different themes for their tactics.

MacDownloader is an incredibly clumsy attempt at spying on military contractors. If there's a lesson here, it's that agreeing with pop-ups can land your feet in a wholly-avoidable fire.

Loading...