A variant of the Dridex banking malware is using macOS to spread to others, by using email attachments that look like regular documents.
Security researchers at Trend Micro said on Thursday that the malware previously targeted Windows, but now the cybercriminals have changed their strategy to go after macOS.
The Dridex malware sample Trend Micro analyzed takes the form of a Mach-O file, an executable file that can run on macOS and iOS. File extensions they use include .o, .dylib, and .bundle.
The Mach-O file contains a malicious document that runs automatically once a user opens it. It then overwrites all Microsoft Word files in the macOS user directory and contacts a remote server to download more files, including a Windows executable file (.exe) that runs the Dridex malware.
These executables can't run on macOS. But, if a user's Word files are overwritten with malicious versions, Mac users could unwittingly infect others when they share the files online.
For now, Mac users are safe from the Dridex malware. Trend Micro says it's possible that attackers could modify it to run on macOS in the future.
How to stay safe
First and foremost, with Dridex, the best way to protect yourself is to not open attachments where the provenance is unclear. Check who the sender is, not just by the displayed name of the sender, but also the email address.
For instance, your credit card company won't send you a receipt from a Gmail account.
Apple includes security tools such as Gatekeeper and the XProtect antivirus software that are built into macOS. Users can also choose to download antivirus software from a third-party company.
An online tool called VirusTotal can scan URLs and files that people upload and detect if it contains malware. For example, if an email has a Microsoft Word document or a Mach-O file as an attachment, it may be a good idea to scan it with the website.
AppleInsider will be covering the 2023 Consumer Electronics Show in person on January 2 through January 8 where we're expecting Wi-Fi 6e devices, HomeKit, Apple accessories, 8K monitors and more. Keep up with our coverage by downloading the AppleInsider app, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos throughout the event.
7 Comments
Don’t just check the from: address but look at the headers for the sender: header. It should match the from: or be from the same domain. from: headers can be forged and are just there for the user to see. The sender: header, when there, is the real address it is from.
Spam is so easy to detect, generally. AS @chadbag said, checking the headers is important. Also make sure not to follow any links in the email without first checking to see where they are going to. Often, that's a dead giveaway to anyone that knows what to look for. For example, if your bank is ABC Bank, and the link is going to "a-b-c-bank.ru", you know something's not right. :wink:
Microsoft Free here…..