According to Claudio Guarnieri and Collin Anderson, two independent security researchers who have been tracking Iranian hackers for the past few years, the malware has also been used against a human rights advocate.
The malware, dubbed MacDownloader, attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, to extract system information and copies of OS X keychain databases.
“Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions, the pair said in a blog post.
The malware was found on a fake website impersonating a US aerospace company called United Technologies Corporation. The website has been used by Iranian hackers in the past as a spear-phishing site for spreading Windows malware. Visitors to the website are offered “Special Programs And Courses," specifically mentioning employees and interns of Lockheed Martin, Sierra Nevada Corporation, Raytheon and Boeing.
The malware is found in a fake Adobe Flash installer for a video on the website. The target will be provided either Windows or Mac malware based on the detected operating system, with Windows clients provided a dropper written in Go.
The researchers said the packaging of the MacDownloader sample also provides “further indication of its Iranian origin through its name, ‘add one flashplayer.app', which would suggest that a Persian-language speaker named the file based on grammar.”
They added that the Mac malware seemed to be poorly developed and created towards the end of 2016, potentially a first attempt from an amateur developer.
When installed the malware displays a bogus Adobe Flash Player dialog box. It then says that adware has been found on the victim's system and that it will attempt to remove it.
“These dialogues are also rife with basic typos and grammatical errors, indicating that the developer paid little attention to quality control,” said the researchers. They added that they believed MacDownloader was originally designed as a fake virus removal tool and to fit a social engineering attempt, it was later repackaged as a fake Flash Player update.
Despite various errors and flaws in the malware, it has evaded antivirus detection by virus scanning engines on VirusTotal, which suggests that consumer antivirus software may have difficulty detecting the agent, according to the researchers.
Other clues pointed to its Iranian origins, according to the researchers. They said that in testing the malware agent, hackers infected a MacBook Pro and uploaded system information to a command and control server for a user called Ultrone. Keychain details showed wireless networks called "Jok3r" and "mb_1986”.
“Jok3r corresponds with a member of a defacement group, Iran Cyber Security Group, who continues to be fairly active in vandalising sites,” they said.
The latter wireless network provides a connection to earlier Iranian campaigns, overlapping with the Flying Kitten actor group and subsequent malware activity in summer 2014, said the researchers.
They said that many groups, including human rights activists, have shifted to Macs in the interest of security and stability.
“While this agent is neither sophisticated nor full-featured, its sudden appearance is concerning given the popularity of Apple computers with certain community, and inaccurate perceptions about the security of those devices,” they said.
Andrew Avanessian, vice president at Avecto, told SC Media UK that Macs are widely used within enterprise environments and are often favoured by the C-suite due to their strong brand appeal and supposed usability.
“This popularity, combined with the widely held and dangerous belief within the enterprise that Apple devices are immune to security threats, makes these systems ideal targets,” he said.
Avanessian added that the fact that a poorly developed, amateur malware still cannot be detected by most virus scanning engines shows that companies can't just rely on antivirus software or assume that devices running on Mac operating systems are automatically secure.
“Organisations need to take proactive measures to ensure that they aren't vulnerable to malware. These measures can be as basic as removing administrative privileges to minimise employee access to sensitive data and blocking unknown applications from running,” he said.