In recent years, the landscape of threats for the MacOS operating system has changed significantly, drawing attention to Trellix. According to StatCounter, the use of MacOS has increased by 2% when comparing the periods from January 2021 to January 2023 and from January 2023 to August 2024. The growing popularity of the platform among corporate users attracts the attention of cybercriminals – from groups specializing in financial crimes to representatives of developed sustainable threats (APT).
The attractiveness of MacOS for attackers is due not only to an increase in the number of devices, but also by user status. Unlike trading terminals, where MacOS is rare, the operating system is more often used by developers, information security specialists, vice presidents, and top managers. Access to devices of such users opens up opportunities for fraudulent transactions, obtaining confidential information, or disconnecting internal digital security systems.
The spread of threats is facilitated by the growing use of cross-platform programming languages, such as Golang, when creating malicious software. Unlike traditional languages like C++, where a significant finalization of the code for working on different platforms is required, modern multifaceted languages allow MacOS with minimal efforts to include MacOS in the list of target systems for attacks.
The North Korean hacker group Lazarus is shown in the attacks on MacOS. Since 2018, the group has been distributing malicious software through fake cryptocurrency trading applications, since MacOS is more common among users and cryptocurrency enthusiasts. An example is the harmful GMERA, built into fake platforms like “Union Crypto Trader”. Victims are attracted using phishing letters and complex methods of social engineering. After installation, malicious programs receive control over MacOS systems via Launchdaemons or LaunchaGents.
By 2020, Lazarus expanded the arsenal due to interplatform malicious software. The Electrrat campaign, held in 2020-2021, was aimed at cryptocurrency users in MacOS, Windows, and Linux systems. The group created fake websites and false profiles on the Internet to promote malicious applications in cryptocurrency forums. Malicious software provided a Backdoor access to the victims’ systems.
Lazarus also launched attacks through compromises of the supply chains using Xcodespy, aimed at developers under MacOS. Attackers introduced harmful scripts in an open-source repository. When compilation of infected XCode projects, infection of developer systems took place. This approach not only gave access to the development environment but also created risks for software in general.