Apple's macOS has been under siege in 2024 as malware-as-a-service platforms and AI-driven threats make the year a turning point for Mac security.
MacBook Pro
For years, macOS had a reputation for being malware-resistant, but 2024 has painted a different picture. A surge in malware targeting macOS users -- fueled by the rise of malware-as-a-service (MaaS) platforms and even artificial intelligence -- is changing that narrative.
Moonlock's 2024 macOS Threat Report reveals alarming trends that are turning Apple's platform into a lucrative target for cybercriminals. The report dives into the evolving tactics attackers are using, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits that bypass key protections.
However, many of the attacks aren't due to flaws in the system. Instead, they result from users disabling the built-in safeguards or being deceived into installing malicious software, either intentionally or accidentally.
The growing market for Mac malware
Cybercriminals used to largely ignore Macs due to their lower user base, but they now see the platform as another opportunity, besides the eternally plagued Windows. What's troubling is how accessible the tools for exploiting macOS vulnerabilities have become.
A decade ago, creating malware for the platform required deep technical skills and computing resources. Now, malware-as-a-service platforms like AMOS Stealer are lowering the barrier to entry.
For as little as $1,500 a month, even inexperienced hackers can buy a toolkit that automates the process of stealing user data. The affordability has opened the floodgates.
Another factor fueling the malware surge is the use of artificial intelligence. As Moonlock reveals, AI tools like ChatGPT are being used on darknet forums to guide hackers through the malware creation process, step by step.
Malware breakdown. Image credit: Moonlock
These tools can generate scripts, pack malware into installation files, and even teach attackers how to bypass macOS's Gatekeeper protections. AI-assisted malware lets even novices deploy threats that would have been out of their league just a few years ago.
Attackers bypass macOS's Gatekeeper protections through social engineering and technical manipulation, exploiting user trust and system vulnerabilities. These cybercriminals trick users into disabling Gatekeeper with fake prompts or detailed instructions claiming to install legitimate software.
Malware disguised as trusted apps or system updates overrides security warnings. In some cases, attackers obtain or steal valid Apple Developer certificates to sign their malicious software, bypassing Gatekeeper's verification.
Mac malware in 2024
Mac threats have been dominated by adware and ransomware for years. These tools, designed to annoy or extort users, were effective until 2024.
Adware campaigns are less lucrative due to improved user awareness and better protections. Ransomware on macOS hasn't achieved the same level of sophistication or success as on Windows.
Instead, hackers are turning to Stealers -- malware designed to quietly gather sensitive data like passwords, cookies, and cryptocurrency wallet details.
In August 2024, security researchers discovered "Cthulhu Stealer," a new macOS malware sold to cybercriminals for as low as $500 per month. The malware disguised itself as legitimate software like Grand Theft Auto IV or CleanMyMac to trick users into downloading and installing it.
Once installed, it prompted users to enter sensitive information, which it transmitted to attackers. Cthulhu Stealer shared similarities with "Atomic Stealer," suggesting the developers reused the code.
Another stealer in August was "Banshee Stealer." It collected extensive information from infected systems, including system details, passwords, and specific file types. It used evasion techniques like identifying virtual environments and APIs to avoid detection, especially on Russian-speaking systems.
The malware was distributed as a premium tool on underground forums, with a steep price tag of $3,000 per month, indicating its sophistication and intended use by serious cybercriminals. However, there is no clear indication that Apple has patched Banshee.
Meanwhile, in September 2024, cybersecurity experts discovered a new macOS threat called HZ Remote Access Tool (HZ RAT). The malware granted attackers full administrative control over infected systems.
HZ RAT was typically distributed through tampered versions of popular applications like OpenVPN Connect. Once installed, it installed additional software, captured screenshots, logged keystrokes, and accessed user data from apps like WeChat and DingTalk.
The malware also established persistent system access by creating scheduled tasks or modifying startup scripts, ensuring it reloaded after reboots. It communicated with command-and-control servers in China to transmit stolen data and receive instructions.
HZ RAT allowed attackers to install additional payloads, escalating activities like deploying ransomware, exfiltrating sensitive data, or using the infected system in a botnet. HZ RAT's multi-stage capability made it a versatile and dangerous tool.
Understanding how attackers exploit vulnerabilities and their evolving methods is one way to stay protected.
Vulnerabilities & methods of attack
Hackers can employ tricks to convince users to manually override macOS safeguards, such as presenting fake prompts that appear legitimate.
Using ChatGPT for malware. Image credit: Moonlock
Social engineering bypasses Gatekeeper entirely, giving malware free rein once installed. For users who have long trusted macOS's built-in protections, this is a wake-up call to scrutinize every pop-up and prompt.
Beyond social engineering, attackers are leveraging powerful tools to gain a foothold on macOS devices. Backdoor malware, which enables persistent access to systems, saw a significant spike in activity in 2024.
These backdoors often work in tandem with exploits -- software vulnerabilities that attackers use to breach a system's defenses. Moonlock's data revealed sharp increases in these coordinated attacks, particularly during targeted campaigns in April 2024.
Apple addressed vulnerabilities highlighted in Moonlock's 2024 macOS Threat Report. In November 2024, it released updates for iOS 18.1.1 and macOS Sequoia 15.1.1 to patch zero-day vulnerabilities (CVE-2024-44308 and CVE-2024-44309) in JavaScriptCore and WebKit.
Additionally, in September 2024, Apple addressed a vulnerability that allowed malicious actors to bypass Gatekeeper protections using specially crafted ZIP archives.
While Stealers are on the rise, their effectiveness is limited compared to sophisticated Windows attacks. Mac's architecture and default protections pose significant hurdles for hackers.
Most Stealers lack advanced obfuscation and persistence mechanisms, relying on basic user errors. For users who keep systems updated, use the Mac App Store, and disable security features, the risk is low.
Apple takes these threats seriously, with updates like removing "Control Click" and patches for Gatekeeper bypass vulnerabilities. Combined with improvements in XProtect and regular system updates, the Mac's defenses remain strong.
How to stay safe
The macOS malware scene in 2024 is complicated. On one hand, tools like Cthulhu Stealer and AMOS Stealer sound alarming. But when you look closer, there's not much evidence of massive, wide-scale attacks.
Most of the activity involves small-scale incidents or theoretical risks rather than widespread damage. That said, the perception of macOS security is shifting.
However, it's still possible to keep yourself protected. Many attacks rely on social engineering, tricking users into bypassing their own security settings. Protection on Mac means scrutinizing every system prompt, avoiding suspicious downloads, and steering clear of unknown links.
Users should also rely on trusted sources, such as the Mac App Store, for software downloads and double-check permissions requested by installed applications.
Keeping software up to date is another cornerstone of security. Apple regularly releases patches to address vulnerabilities. Installing updates ensures that your system benefits from the latest defenses against active exploits.
Selling AMOS. Image credit: Moonlock
Investing in additional protection is worth considering. Tools like endpoint detection and response (EDR) software or reputable antivirus solutions can provide an extra layer of defense.
Education is also important. Staying informed about the latest security threats can empower users to make better decisions.
The Moonlock report reveals a shift in how attackers view macOS. As the platform's user base grows, it has naturally become a bigger target for cybercriminals.
This isn't because macOS is inherently less secure than it once was, but because attackers see more value in targeting it. The tools and techniques for bypassing macOS protections have also become more accessible, making it easier for even less experienced attackers to go after users.
A key takeaway is how much these attacks depend on user behavior. Many successful breaches don't rely on advanced exploits but instead take advantage of users who bypass protections like Gatekeeper or fall for phishing schemes.
Malware like AMOS and Cthulhu Stealer thrives on user trickery into granting permissions or downloading seemingly legitimate software. Staying informed about threats, avoiding untrusted downloads, and enabling system protections are crucial for macOS users.