February 12, 2017

Report: Iranian Hackers Target Activists’ Mac Devices With Revamped Malware

macos-malware-targeting-iranian-hr-activists

State-sponsored Iranian hackers, who had until now focused almost exclusively on civil and human rights-focused users of the Windows and Android operating systems, have for the first time developed malware (software that damages or disables computer systems) that targets users’ Apple devices, according to a new report by Internet security expert, Collin Anderson.

“My fear is that many people switched to Mac (Apple) because they were concerned about malware and security issues (thinking Mac would better protect them), but doing this alone does not solve the issue,” Anderson, who is based in Washington, DC, told the Campaign for Human Rights in Iran. “So this is why this report is serious: it’s informing Mac users that they still have to be vigilant because Iranian groups are now targeting them as well.”

“Few if any people were infected by the Mac malware,” said Anderson. “The Windows versions that communicated with the same servers had infected a small number of people inside of Iran and in the diaspora.”

“We chose to report on the malware early on because it represented a change in the behavior of Iranian groups, rather than an active campaign with many victims,” he added. “Our goal was to prepare potential targets for the possibility of being targeted by educating them that macOS can still be vulnerable to malware.”

The internet and social media apps are heavily restricted and censored in Iran, with hardliners in the government viewing any form of internet freedom as a threat to the sanctity of the Islamic Republic. Research by the Campaign has shown that Iranian hackers, often directed by hardliners within the country’s government, periodically launch campaigns against civil and human rights activists and organizations to disrupt or intimidate them into ceasing their peaceful activism.

Anderson, who runs the Iran Threats website, told the Campaign that the hackers are targeting the computers of civil rights activists with a revamped version of the MacDownloader malware, which was previously used to target industrial infrastructures.

MacDownloader was designed to steal victims’ computer passwords by luring them to a fake prompt box that invites account holders to provide or reset their passwords.

A statement issued by Iran Threats on February 6, 2017 detailed the process:

“A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against a human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.”

After hackers gain the OSX Keychain information, they can potentially copy passwords for other tools such as email, websites, software and hardware and access virtually all the information stored by users on their computers and online.

What can users do to protect themselves against the malicious malware?

“There’s no simple remedy, and the best protection is to be skeptical about the software that one downloads, and to be cautious about the emails they receive,” Anderson told the Campaign.

“As we show in the report, antivirus software typically relies on having detected a piece of malware before flagging it as malicious,” he added. “Since the Iranian attacks are targeting a small population (rights activists), the detection rate by those products is low. Antivirus is not sufficient in protecting against targeted attacks.”