In 2023, Apple devices faced an escalating threat landscape with the discovery of 21 new malware families targeting macOS systems, marking a more than 50% increase compared to the previous year. Cybersecurity researcher Patrick Wardle conducted a comprehensive analysis, detailing the infection vectors, persistence mechanisms, features, and purposes of each new malware family.
Notable inclusions were Mac versions of the LockBit file encryptor and a ransomware named Turtle, highlighting an ongoing interest from cybercriminals in infiltrating Apple devices. Information stealers dominated the landscape, with malware like PureLand, Realst, MetaStealer, AtomicStealer (AMOS), JaskaGO, MacStealer, and GoSorry aiming to collect and exfiltrate sensitive data such as passwords, cookies, and cryptocurrency wallets.
In the realm of Advanced Persistent Threat (APT) activities, North Korean-linked threat actors were particularly active, contributing to the development and deployment of macOS malware like SmoothOperator, RustBucket, KandyKorn, ObjCShellz, FullHouse.Doored, StratoFear, and TieDye, the latter two associated with the JumpCloud attack. Other APT-developed macOS malware included JokerSpy and NokNok linked to Iran.
The roster of macOS threats expanded further with the identification of the SparkRAT backdoor, Geacon backdoor, WSClient proxy, iWebUpdater backdoor, and updater (existing for five years), alongside new variants of CoinMiner and XLoader malware. Reports also surfaced regarding a potential macOS version of the Triangulation implant, and advertisements for macOS malware named hVNC and ShadowVault, although these are yet to be observed in actual cyber incidents.
