Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Researchers See Links Between Iran and Mac Malware

MacDownloader Engineered to Steal Passwords from macOS's Keychain
Researchers See Links Between Iran and Mac Malware
MacDownload disguises itself as an Adobe Flash update (source: Claudio Guarnieri and Collin Anderson)

Bad news: A half-finished sample of new Mac malware recently appeared on the desktop of a human rights advocate. But the good news, researchers say, is that the malware is sloppily written, and thus poses little risk to users. Circumstantial technical evidence links the malware to Iran, which information security watchers believe has an active cyber offensive program.

See Also: Close the Gapz in Your Security Strategy

That analysis comes via computer security researchers Claudio Guarnieri and Collin Anderson, who both track developments in suspected state-sponsored attacks against dissidents and government censorship of the internet.

Their malware analysis, published Feb. 6, suggests that the malicious code in question, called MacDownloader, was built by a group nicknamed Charming Kitten, which they believe is connected to Iranian security companies.

The human rights community in Iran tends to put more faith in the security of the Apple products because they're generally targeted less than Windows devices, the researchers write. But that belief could result in targets underestimating the information security risks they face. "While this agent [malware] is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers with certain communities and inaccurate perceptions about the security of those devices," they write.

To get infected, a victim would have to continue to click on menu dialogues in order to install it. Still, as of the researchers' blog post, no vendors on VirusTotal - a free service that subjects suspected malware to multiple anti-virus scanners - were detecting it.

Charming Kitten's Messy Code

MacDownloader, however, is a mess. It's full of typos and grammatical errors, which is a strong sign to any user that an application isn't legitimate. In this case, the application first presents itself as an update for Adobe System's Flash multimedia application and gives users the option of closing out the related installation dialogue box. If users close the box, the malware does indeed exit.

But if a victim opts to install the bogus update, a different dialogue box appears that says adware was discovered on the computer. It's the type of warning that would typically come from a security application, rather than from a Flash update.

"We believe MacDownloader was originally designed as a fake virus removal tool and in order to fit a particular social engineering attempt; it was later repackaged as a fake Flash Player update," the researchers write.

If executed, the MacDownloader malware warns that adware has been discovered on a system. (Source: Claudio Guarnieri and Collin Anderson.)

When running, MacDownloader profiles a computer and tries to collect credentials from the keychain, macOS's built-in password manager.

Linked to Iranian Government?

The researchers believe MacDownloader has a strong connection to Iran, based on command-and-control data, strings in its code and how it was distributed.

The malware was first spotted on a website for a bogus company called United Technologies Corp. The company appears to have been created in order to target the defense industry, offering fake courses for employees of Lockheed Martin, Raytheon and Boeing. Researchers say the website was previously used as part of a spear-phishing campaign that sent emails laden with Windows malware.

The potential connection to Iran comes via metadata in MacDownloader's code, the researchers say. In particular, the bundle identifier, which lists the application's developer, is listed as "zenderod," which the researchers say may be a reference to the Zayandeh River that runs near Isfahan, Iran.

The transliteration of the river's name is also close to the domain name of a software and hosting company near Isfahan called Novin Pardaz Zenderod, which originally used the "" domain name.

"We contacted an individual listed as the administrative contact for Novin Pardaz Zenderod, and they denied producing macOS software or association with the malware," the researchers write.

They also found files that had been uploaded to a command-and-control server that originally came from a Macbook Pro that had been infected with MacDownload. The files included references to two wireless networks whose names have been linked to an Iranian group that defaces websites, as well as another name previously found in a sample of Windows malware, both of which appear to be connected to pro-Iran groups that are "involved in state-aligned campaigns."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.