Mac OS devices have been popular not only for their convenient usage and attractive design but for the immunity to cyber threats. However, not for long. A new virus, detected a couple of days ago, tries to hack into users‘ computers via macro settings. This peculiarity characteristic to MS Office suite has been highly escalated since the emergence of Locky and Cerber ransomware last year. The latter are especially keen on using this feature to break into operating systems. Has the era of Mac OS ransomware begun?
Thanks to the malware analyst, Snorre Fagerland, the news about this exceptional virus broke out quite soon. Before the complete execution, the virus checks whether the Mac OS firewall, Little Snitch, is activated on the system. In that case, the malware terminates itself. Nonetheless, the key feature of this malware is that it asks Apple users to enable macro settings. If this option is enabled by default, the cyber threat connects to the remote server, securitychecking[.]org[:]443/index[.]asp, to download the main file for completing the attack. Later on, the downloaded content is decoded, and the execution of the malware begins. In 2008 MS Office ceased their support for macros for Apple devices. Many users rejoiced as this modification reduced the vulnerability of their systems to virtual infections. However, three years later, the company decided to return the feature, but this time with an important update—the option to warn about the incoming file with macros.
The analysis reveals that the malware has been programmed in the Python 2.7 programming language. The execution stages resemble the components of emPyre, a post-exploitation OS X/Linux agent, which enables the penetrator to spy on users. The necessity to enable macro settings is the trademark feature of ransomware, specifically Locky and Cerber. Such emergence of Mac OS malware certainly serves as a wake-up call for the Apple community. On the other hand, Mac OS viruses are not a completely unknown phenomenon. Another recently detected malware, originated from Iran, tries to penetrate into systems by disguising under fake Adobe Flash program. On the final note, one thing is for sure: the era, when Mac OS users could browse the Web at ease, is coming to an end. Besides fixing security flaws with current software updates, downloading security apps, users should be vigilant while installing new content or enabling new features. Think twice before you click “Install” or hit the “Enable” option.