- Researchers have discovered a new Mac malware dubbed Tarmac that is distributed via malvertising campaigns.
- Details about all the features of this new malware are yet to be discovered.
What we know
The Tarmac malware, also known as the OSX/Tarmac malware is being distributed through a malvertising campaign that redirects potential victims to sites displaying fake software updates.
- The fake updates are usually shown for Adobe Flash Player.
- Users who installed these updates would actually be downloading the OSX/Shlayer malware. This, in turn, launches the OSX/Tarmac malware.
- Tarmac collects data from the infected machines and passes it on to its command-and-control server.
- After this, it waits for further instructions from the server.
- The malware escapes detection by signing the payload with legitimate Apple developer certificates.
“Even though with a fake identity but this Apple Developer certificate is still signed by Apple thus the malware is allowed to run after some preliminary checks,” say researchers.
What we don’t know
The malvertising campaign that delivers Shlayer and Tarmac reportedly began in January 2019. The campaign was spotted in January but only the Shlayer malware was discovered then.
- Tarmac was identified by researchers now, but the versions they found were old.
- The command-and-control servers were either shut down or moved to another location.
- Because of the unavailability of the servers, researchers were unable to analyze all the capabilities of Tarmac.
- Second-stage malware strains usually come with powerful features. It is believed that this newly discovered malware could also pose a serious threat.
The malvertising campaign was found to be targeting macOS users in Japan, Italy, and the US.
“We think actors proceed by trial and error, and they might have found a sweet spot in Italy, between the profit they can reap and the level of attention from the security community,” a Confiant security researcher Tara Kahim told ZDNet.