New Tarmac Malware Targets MacOS Users | By Andrew Caroll

New Tarmac Malware Targets MacOS Users

Security researchers have found a new piece of Mac malware called Tarmac. So far, the features of this new malware are going to remain a secret.

The malware, Tarmac (OSX/Tarmac), was spread among MacOS users through malicious ad campaigns online. These ads enable a rogue code inside Mac user’s browser, which redirects the victims to those websites that display popups for Adobe Flash Player software updates.

Those who ended up falling for this trick and downloaded the Flash Player update installed a malware duo on their system. OSZX/Shlayer malware first and then OSX/Tarmac. Tarmac gathers information and data from the infected machines and then transmits it to the command-and-control server.

After that, the malware waits for instructions from the server. The main reason for not detecting the malware is that it signs the payload with legitimate Apple developer certificates. Researchers also found out that, “Even though with a fake identity but this Apple Developer certificate is still signed by Apple; thus, the malware is allowed to run after some preliminary checks.” 

It has been circulating since January 2019

According to Taha Karim, a security researcher at Confiant, this combo of Shlayer+Tarmac began earlier this year. A report was published about this malvertising campaign in January by Confiant. But at that time, they were able to identify the Shlayer malware only, not Tarmac.

Speaking of undetectable, some spyware programs are undetectable too. These are used on mobile phones to monitor the phone user’s activity. Xnspy is one such spyware that silently keeps a record of all phone activities and stays hidden. There is no way of knowing that there is such software installed on your phone.

However, two weeks ago, Confiant dug further into the malvertising campaign and its payloads. And continues to do so. During this research, Karim found Turmac as a second-stage payload for the initial Shlayer infection. But the version that Karim found was older, and the actual command and control servers of the malware had shut down or moved to another place - possibly.

So far, what we know is that after Shlayers downloads and installs Tarmac on the infected hosts, it collects all of the details about the hardware’s setup and then sends it to the command and control server. Reaching this stage, Tarmac waits for new commands. Still as the servers were not available, Karim was unsuccessful in determining the full scope of the malware and analyze all of Tarmac’s capabilities.

Most of the second-stage malware strains are potent malware strains, and come with a variety of intrusive features. So, in theory, Tarmac could be quite a threat.

Shlayer and Tarmac Combo was targeted at users in the U.S., Italy, and Japan

The full features of Tarmac are yet to make the news, but here are some of the details:

According to Karim, the malvertising campaign that was responsible for spreading the Shlayer and Tarmac combo was especially geo-targeted at the users located in the U.S., Italy, and Japan. Although both the U.S. and Japan have been regular victims of such malware and malvertising campaigns, Italy making this list seems a bit strange.

According to Karim, "We think actors proceed by trial and error, and they might have found a sweet spot in Italy, between the profit they can reap and the level of attention from the security community."

Features such as Gatekeeper and XProtect will not stop the installation process or indicate any errors as Tarmac payloads come signed from legitimate Apple developer certificates.

Both the companies and users who are trying to find out if this malware has infected their systems will come across IoCs (Indicators of compromise), according to the Tarmac report, compiled by Taha Karim.

How to stay safe? 

So, what can you do to stay safe? Well, if you think that your phone/tablet is acting odd, here are a few things you can do to keep your data and device safe:

  • Do not download unnecessary emails, messages, or links. Be cautious in downloading things and see that they are completely safe. 
  • To add a safety layer, you could also scan your Mac by installing an antivirus for Mac. You could use premium paid and free software for in-depth scanning of the device and remove malware. Remember, don’t fall for other kinds of malware while searching for an antivirus. If it says “your computer is infected,” that’s not the anti-malware you would want to download. You could check the list of antivirus software programs for MacOS recommended by TechRadar. And don’t worry, almost all good antivirus programs scan for malware too.

November 20, 2019
Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013