iWorm Description

Malware that targets Mac computers is becoming more and more common by the day. One of the threats that target machines running OSX exclusively is called iWorm. Cybersecurity researchers have firs spotted this threat back in 2014. It has been reported that the iWorm malware has managed to compromise around 18,000 devices worldwide. This threat is capable of taking control of the infected host and using it for various purposes. It appears that the operators of the iWorm malware are using it to build a botnet. Experts are not fully certain what the botnet will be used for, but it is likely that it may be employed in DDoS (Distributed-Denial-of-Service) attacks, mass spam email campaigns, cryptocurrency mining operations, etc.


Apart from being able to gain control over the compromised system, the iWorm malware also enables its operators to collect data about their target. Furthermore, the iWorm threat allows the attackers to execute remote commands and collect data regarding the network traffic of the victim. In the case of an issue with the primary C&C (Command & Control) server that the iWorm malware connects to, the threat is capable of switching to an alternative C&C server. To obtain persistence on the compromised host, the iWorm threat will make sure to spawn a new LaunchDaemon that will trigger the execution of the threat every time the user reboots the Mac. The iWorm backdoor may use the filename ‘application.com.JavaW’ that is meant to look as legitimate to the user so that no red flags are raised.

Hosts C&C Servers Addresses on Reddit

The iWorm malware utilizes an interesting infrastructure when grabbing the addresses of the C&C servers of its operators. Most authors of malware tend to use third-party websites like PasteBin or simply hardcode the addresses into the code of the threat. However, the creators of the iWorm backdoor are hosting the C&C servers’ addresses on Reddit.com, a website that is often referred to as the front page of the Internet. The addresses in question are encoded and posted by a user with the nickname ‘vtnhiaovyd.’ The authors of the threat are disguising the encoded C&C servers addresses as Minecraft server IPs. Accounts that have been linked to the threatening activity of the iWorm malware have been banned, but this does nosignify that the attackers have seized the campaign.

So far, it would appear that the compromised machines have not been used in cryptomining operations or DDoS attacks. The creators of the botnet do not appear to have utilized the infected computers for any operations yet. If you want to maintain your machine safe from threats like the iWorm backdoor, make sure you download and install a genuine anti-malware tool and do not forget to update it regularly.