Mac OS Malware bypass Security with Developer Certificates

Cybercriminals alter the vendor’s website and replace legitimate apps with dubious ones that are meant to steal data from the user.

If the ransomware got active in late 2016 with tampered transmission app, it’s now that they have increased the threat and now they have focused on compromising Apple’s Mac OS.

We have seen how the RAT distributed Elmedia media player software involving Proton remote access Trojan actively targeting popular application. There have been more than 1 million downloads, which is more than enough to do maximum damage.

It will foolish to think that Mac malware will doom one day. If there is anything we need to understand is that cyber criminals are fully focussed on attacking popular applications to steal data. Supply chain attacks that alter the vendor’s website and replace legitimate apps and replace them with spurious ones. Tampering website is just a minor step towards this crime, and so one has to be aware of their website has been tampered with, check the logs for any unauthorized entry.

A Brief History Lesson

Ransomware has been incredibly popular on Windows-running systems, as cyber criminals figured there’s a lot of money to be made by holding user data for ransom. And they were right. It’s estimated that ransomware alone generated more than $1 billion for malware developers in 2016, and an even higher figure is expected in 2017.

Ransomware malware has gone on to create havoc across the world, mostly attacking Windows OS, and now they have gone a step ahead to attack even Android, Linux, and iOS. The year 2017 has witnessed quite some drama when cyber attacks had been on the rise and at high frequency.

Since most of us believed that Mac OS remains unaffected and it will take some time for the attackers to find a way to penetrate the Mac system, here comes the Transmission incident. Ransomware can ransack Mac. The malicious app is signed with a valid stolen developer certificate, that bypass the Mac OS built-in security screening. This allows the app to get installed without alerting any suspicion. The cyber experts call this ‘Supply chain attack’ since it uses a technique that infringes the tool they use.

Since the attackers are trying to put a dubious app on a legitimate website of the vendor, they need not have to spend their time for phishing. The website integrated with third-party makes it easier for criminals to look for vulnerabilities.

Proton RAT on Mac OS

Interestingly, it’s not the first time that Proton RAT has to find its way to Mac OS. An open source video transcoder HandBrake was refurbished with Trojan earlier this year, and the supply chain attack caused many users downloaded the dubious files.

Proton RAT is a very clever application, that bypasses Apple’s security besides supporting Apple developer certificates. The application also has the ability to have a complete control of the user’s system by literally capturing screens, even stealing data and uploading them and pretty much everything that a user can do with his system.

It has been a tough call to distinguish which is the safe app since it often sourced from legitimate apps. It has become mandatory to have a Mac OS security solution that can identify and kill such malware and keep a close monitor on the remote-activity if any. Better be safe than sorry.