1,000% increase in dark web threat actors targeting macOS

Light bulb moment on the dark web

Accenture Cyber Threat Intelligence (ACTI) has observed a significant increase in the past five years, in dark web threat-actors targeting macOS.

Increase in Dark Web threat actors targeting macOS

Growing macOS popularity

Historically, dark web cyber criminals have focused their efforts on Windows. Previous macOS-related activity has been limited in scope owing to the comparatively smaller role played by macOS in enterprise infrastructure globally and the more advanced and niche skills required to target the Apple operating system. Yet, in 2022 and the first half of 2023, macOS-targeting activity has intensified.

Here’s what’s on sale

• Actors developing, maintaining and advertising macOS-specific infostealer strains.
• MacOS-focused threat actors dedicated to selling tools and services targeting macOS systems.
• The sale of macOS enterprise certificates for malware distribution.
• The development and sale of macOS specific exploits including alleged zero-day exploits.
• A strong focus on macOS Gatekeeper bypass attacks.
• LockBit 3.0 developing specific ransomware strains; other groups showing interest.

A perfect dark web storm

Cyber criminals’ keener interest in targeting the macOS operating system comes at a time when enterprise adoption of macOS is rising, creating a perfect storm that could elevate the threat to businesses using macOS as part of their technology stack. According to a survey by Jamf, a company that manages Apple devices, in 2020, the percentage of enterprise organizations that reported using Mac as their primary device increased to 23%, up from 17% in 2019. These numbers may have risen even more since the 2020 report, leaving businesses vulnerable unless they adjust their security posture to face this new, emerging threat.

Threat actors seek to bypass in-built macOS security

Of great concern is the emergence of established actors with positive reputations and large budgets looking for exploits and other methods which would enable them to bypass macOS security functions—in particular, macOS Gatekeeper and Transparency, Consent and Control (TCC). MacOS Gatekeeper is a built-in security feature which enforces application code signing, so that only trusted software runs on the machine. TCC aims to limit the ability of applications to interact with various parts of the operating system without explicit user consent. Bypassing these could enable threat actors to deploy malware via untrusted applications.

One actor offered up to US$500,000 for a macOS Gatekeeper bypass or exploits (see Figure 2)

Another actor holding a 14.047 Bitcoin deposit on the forum ($297,051.91 as of November 4, 2022), offered up to $1 million for a working exploit for macOS (see Figure 3)

Supply follows demand—but scarcity keeps prices high

Actors are spoiled for choice regarding malware and services targeting Windows and Linux owing to the widespread adoption of these systems and the long historical focus on targeting these platforms. Windows zero-day exploits are often advertised for thousands of dollars, malware for hundreds, whereas macOS zero-day exploits have been advertised for millions of dollars and malware for thousands, due to the lack of availability and high demand.

As a result, the potential returns are highly likely to encourage skilled actors to turn their efforts toward developing such tools and exploits to make big profits, a trend which ACTI has already observed has commenced. In August 2022 one actor advertised a vulnerability exploit for sale for $2.5 million for CVE-2022-32893 – an out-of-bounds vulnerability affecting multiple Apple products (see Figure 4). This comes with an associated zero-day exploit. The veracity of this claim is uncertain, but it is becoming a more common occurrence on established dark web forums.

Specialized threat actors are emerging

A handful of skilled actors have emerged as go-to vendors for macOS-related tools and services. One actor, who operates on an exclusive and established underground forum, has gained a positive forum reputation and leads the way in offering several tools and exploits targeting macOS.

On March 8, 2023, the actor advertised the ability to create Apple Enterprise Certificates to bypass macOS Gatekeeper, a highly desirable service for macOS focused threat-actors. The service starts at price of $100,000 and grants the buyer one of the actor’s bespoke "Apple Enterprise Certificates,” enabling them to use a legitimate certificate to sign their malware—drastically increasing the chances their malware can successfully deploy on victims’ devices.

Focused threats

The same threat actor supplying bespoke Apple certifications also advertised the sale of macOS Hidden Virtual Network Computing (hVNC) malware on April 3, 2023 for $80,000 and the sale of a macOS vulnerability exploit for $50,000. The exploit bypasses security measures and enables Mach-O files to execute on any machine without the need to CodeSign the binary. This method effectively removes the "com.apple.quarantine" attribute from the binary to execute the code on any machine. In addition, this actor has agreed to partner with an actor seeking to develop iOS malware specifically targeting iCloud backups and sold a macOS loader for $7,000 per month.

The emergence of dedicated, skilled and credible threat actors focusing on macOS is problematic as they meet the demand posed by willing buyers and enable an increasing volume of threat actors to target macOS using sophisticated tools and bespoke techniques. The success of such actors means that more actors specializing in targeting macOS are likely to follow suit.

Surging demand for Infostealer malware turns attention to macOS

In 2022, infostealer malware dominated the cybersecurity threat landscape. This trend has continued into 2023. From November 2022 to July 2023, the inventory for sale on the market-leader dark web compromised credential marketplace Russian Market rose by 62%, from approximately 4.5 million to 7.3 million ‘logs’ (sets of victim login credentials).

As Windows-based infostealers saturated the market, innovative threat actors turned to new targets. Threat actors’ desire to target this previously untapped income stream has led to the emergence of a range of infostealer malware claiming to target macOS on dark web forums and Telegram channels. Despite a rocky start in early 2023, with several actors making false claims, receiving forum bans and selling poor products, AMOS and ShadowVault emerged as seemingly reputable products.

Accenture has observed several discussions on dark web forums, revealing an appetite for new versions of macOS malware, and also for actors to add macOS-targeting capabilities to existing, established malware, such as the LummaC2 infostealer. Moreover, ACTI observed monikers on the dark web associated with initial access brokers and possibly data extortion groups confirming to have bought a MacOS capable infostealer, and confirmed its operational capabilities. Accenture expects this demand to increase and for established infostealer vendors to announce macOS versions by the end of 2023.

Ransomware and macOS

On April 16, 2023 security group MalwareHunterTeam disclosed it had found the LockBit 3.0 ransomware group developing a macOS-focused version of its ransomware. Although the version was buggy, unfinished and imperfect, LockBit 3.0 did confirm through its underground moniker “LockBitSupp” that it was actively developing it. This is noteworthy as it is the first confirmed instance of a prominent ransomware group targeting macOS with a bespoke ransomware strain.

Accenture has observed other monikers associated with ransomware gangs showing increased interest in macOS attacks. A prominent Initial Access Broker, who Accenture assesses to have been historically associated with the Conti and REvil ransomware groups, purchased and tested the XLoader malware in 2022, which operates in macOS.

New pioneers

Accounts associated with a newly emerged ransomware affiliate scheme seeking partners on dark web forums have been active in macOS focused discussions. The new group, “Monti”, claims to be using a rewritten version of Conti’s EXSi ransomware locker and to employ operators dating back to the early days of REvil in 2019. A new group forming of experienced ransomware operators building a new locker based on leaked Conti code, active in macOS channels, is problematic and could show Monti is seeking to incorporate macOS targeting into its operations.

Although macOS ransomware strains are rare and unsuitable for deployment as of July 2023, this shows macOS is now firmly in the crosshairs of some prominent ransomware actors. Many of the products discussed in this blog—zero-day exploits, malware, certificates—could be of interest to ransomware gangs who have large budgets, technical expertise and who can invest time in trialing new attack vectors. The rewards for the first successful ransomware deployments on corporate networks using macOS have the potential to be huge.

The outlook for macOS threats

Accenture assesses this trend could continue throughout 2023 and beyond

A combination of the increasing use of macOS in corporate environments, the high potential earnings of threat actors willing and able to target macOS and the surging demand for macOS tools and wares suggest this trend will continue. As technically advanced and well-resourced threat actors continue to pour time and money into developing macOS-specific attack vectors, the techniques and capabilities available to the wider dark web community increases. As more products become available, technical knowledge trickles down and potential barriers to entry are removed, leading to a flurry of new offerings catering to macOS-targeting by dark web criminals including more infostealers, ransomware strains, RATs, loaders, exploits and credential harvesters.

Increased risk to individual users and businesses relying on macOS for daily operations

Risks are increasing, especially in the first wave of attacks as end users and security teams need to adjust to a new and changing threatscape. The dark web acts as an excellent bellwether for upcoming cybersecurity threats and monitoring of closed communities and reputable actors suggests these threats are not going away any time soon. Monitoring of dark web sources to obtain threat intelligence on the latest tactics, techniques and procedures concerning threats to macOS could help to get ahead of the latest threats in this sphere.

Thanks to our blog contributors, Accenture Cyber Threat Intelligence Analysts Paul Mansfield and Thomas “Mannie” Willkan.