Security researchers have discovered a new piece of Mac malware; however, some of its purpose and full features will remain a mystery for a little longer.
Named Tarmac (OSX/Tarmac), this new malware was distributed to macOS users via online malvertising (malicious ads) campaigns.
These malicious ads ran rogue code inside a Mac user’s browser to redirect the would-be victim to sites showing popups peddling software updates — usually for Adobe’s Flash Player.
Victims who fell for this trick and downloaded the Flash Player update would end up installing a malware duo on their systems — first the OSX/Shlayer malware, and then OSX/Tarmac, launched by the first.
Distributed since January 2019
This malvertising campaign distributing the Shlayer+Tarmac combo started in January this year, according to Taha Karim, a security researcher at Confiant.
Confiant published a report about the January 2019 malvertising campaign at the time; however, they only spotted the Shlayer malware, but not Tarmac.
But in a follow-up report published two weeks ago, Confiant dug deeper in the — still ongoing — malvertising campaign and its payloads.
This is how Karim found Tarmac, as a second-stage payload for the initial Shlayer infection. However, the Tarmac versions the researcher identified were relatively old, and the malware’s original command and control servers had been shut down — or most likely moved to a new location. This hindered analysis, as Karim wasn’t able to gain a full insight into how Tarmac operated.
All that’s known at the moment is that after Shlayer downloads and installs Tarmac on infected hosts, Tarmac gathers details about a victim’s hardware setup and sends this info to its command and control server.
At this point, Tarmac would wait for new commands. But since these servers aren’t available, Karim wasn’t able to determine the full scope behind Tarmac.
In theory, most second-stage malware strains are usually very powerful malware strains, possessing many intrusive features. Tarmac, should, at least in theory, be a very dangerous threat.
However, for the time being, the mystery remains.
Tarmac distributed to US, Italian, and Japanese users
But while Tarmac’s full set of features have yet to be uncovered, we do know some details about who may have gotten infected.
In an interview today, Karim told ZDNet that the malvertising campaign that distributed the Shlayer and Tarmac combo was geo-targeted at users located in the US, Italy, and Japan.
While the US and Japan are regular targets for malvertising and malware campaigns, Italy is somewhat of an odd choice.
“We think actors proceed by trial and error, and they might have found a sweet spot in Italy, between the profit they can reap and the level of attention from the security community,” Karim told ZDNet.
Since Tarmac payloads come signed by legitimate Apple developer certificates, features like Gatekeeper and XProtect won’t stop its installation or show any errors.
Users and companies looking to see if they’ve had Mac systems infected by this malware can find indicators of compromise (IoCs) in Karim’s Tarmac report.