The MacDownloader malware is a very harmful and potent threat that is capable of wreaking a lot of havoc if it manages to compromise a system successfully. The MacDownloader threat targets systems running Apple’s OSX, as may be evident by its name. It would appear that the authors of the MacDownloader malware are propagating it by disguising this threat as an Adobe Flash Player update. This rather high-end threat is likely the creation of an Iranian APT (Advanced Persistent Threat). This APT tends to go after high-profile targets mainly, so regular users will likely not be affected by the MacDownloader malware. According to reports, the MacDownloader malware has so far been utilized against US defense contractors such as Lockheed Martin, Raytheon and Boeing.
How the MacDownloader Threat Operates
The authors of the MacDownloader malware appear to be propagating the threat via spam email campaigns. The email’s goal is to convince the target to visit a website that offers free of charge training programs and courses that are tailored for the intended person. However, if the targets attempt to view any of the content that is hosted on the bogus page, the website will ask them to download and install an update of the Adobe Flash Player application. This is a common trick used by authors of malware to propagate their creations. If the target falls for this trickery and installs the bogus Adobe Flash Player update, the MacDownloader threat will show a fraudulent installation progress bar and then display a notification, which claims that there is adware present on the user’s system. This should raise a red flag certainly, as the Adobe Flash Player is not meant to have any modules that have anything to do with cybersecurity. The fake alert also states that the adware that was supposedly detected will be removed from the system. Next, the MacDownloader malware will request that the users fill in their login credentials if they want to begin the adware removal process. Legitimate anti-malware tools will not request you to fill in your username and password, and such odd requests should be seen as a red flag by users definitely. The MacDownloader threat does not gain persistence on the compromised host, which means that once the user closes it, the threat will not be run again. As long as the targets have not filled in their login credentials before they close the application, there should be no issues. However, if the user has provided the MacDownloader malware with their username and password, the threat will make sure to store the data in a file called ‘applist.txt,’ which will be transferred to the C&C (Command & Control) server of the attackers.
As we mentioned, the MacDownloader threat does not gain persistence, but this is not by design as its creators attempted to give the unsafe application persistence. However, there are various bugs in the MacDownloader malware code that prevent it from gaining persistence on the infiltrated machine successfully. Currently, the C&C server of the MacDownloader threat is offline. This means that the threat cannot cause damage for the moment. However, the MacDownloader malware has a great potential to cause a lot of harm to its targets and may soon be updated and weaponized further.