Patrick Wardle: Apple Devices Hit With Recycled macOS Malware

Patrick Wardle talks about the biggest threats he’s seeing impacting Apple devices.

SAN FRANCISCO – Advanced persistent threat (APT) groups are hitting Apple devices with malware that has been reverse engineered and redeployed for malicious acts. This technique is complicating attribution efforts, Patrick Wardle, security researcher with Jamf, said this week during RSA Conference 2020.

“I looked at how hackers or adversaries could take existing malware that someone else has spent a lot of time and energy creating and then generally in a few simple steps repurpose or recycle, reconfigure to use for their own surreptitious purposes,” he said. The tactic poses challenges around traditional signature-based detection.

Despite these threats, Wardle said that when it comes to security, Apple’s moving in a “positive” direction, adding more malware mitigation or security features into their operating system.

Below is a lightly edited transcript of the video.

Tara Seals: Hi, I’m Tara Seals, senior editor with Threatpost and I’m here with Patrick Wardle of Jamf. Jamf?

Patrick Wardle: Jamf.

Tara Seals: Jamf.

Patrick Wardle: Yeah, Jamf.

Tara Seals: And what does Jamf stand for?

Patrick Wardle: It actually doesn’t stand for anything in particular. Basically our Mac enterprise company that does software for managing Macs and recently acquired my company to expand their security offering.

Tara Seals: Oh, I see. Very nice. Well you have a session here actually speaking of Macs and security yesterday where you were talking a little bit about repurposed malware and how that can be reverse engineered and redeployed basically for ill. So I want to talk a little bit about your research with that.

Patrick Wardle: Yeah, definitely. So I looked at how hackers or adversaries could take existing malware that someone else has spent a lot of time and energy creating and then generally, in a few simple steps, repurpose or recycle, reconfigure it to use for their own surreptitious purposes. And we’ve seen advanced three-letter agencies, APT groups already using this technique. It really kind of complicates the attribution picture and also gives you access to prebuilt malware, essentially, that someone else has created. So a kind of interesting technique and does pose some challenges towards traditional signature-based detection. So, also talking a little bit about how it’s important to focus on heuristics and behavioral-based detection to detect these threats.

Tara Seals: Right. And so is there anything in the Mac ecosystem in particular that is addressing some of these sort of more advanced threats going forward?

Patrick Wardle: Yeah, so we actually see Apple really moving in a positive direction from a security point of view where they continually add malware mitigation or security features based or built into the operating system. So for example, in Catalina on main one is this idea of notarization, which is basically Apple having to prescan software before it’s allowed to be deployed or distributed on Mac systems. And this obviously gives Apple the ability to make sure something isn’t malicious before users are able to run that. So that’s a great step because in the past the majority of malware or infections targeting kind of average Mac users were almost social engineering based attacks where the user would be tricked or coerced into running something. Now with notarization, Apple’s obviously not going to notarize malicious software, generally speaking, so these attacks are almost generically forded. So it’s a step in the right direction. There’s still ways to get around this. We’re seeing attackers kind of starting to utilize more advanced exploits and zero days more sophisticated techniques in response to these. But it is good to see Apple adding these extra barriers, which basically does raise the bar and make it more difficult for Mac systems to become infected.

Tara Seals: Right. Right, right. Well, and we did hear a stat yesterday actually at the keynote talking about how Apple devices are actually now they outnumber Microsoft space devices now. I mean, that’s a significant milestone obviously.

Patrick Wardle: Yeah, and what we see is we see attackers obviously kind of go after generally where they can make the most money. So if Apple devices are becoming more prolific, it means hackers, attackers are going to focus more of their time and resources obviously on targeting devices. We’ve seen an uptick especially in adware where now it’s way more prolific and problematic on macOS than it was a few years ago. And I think it’s largely because Mac devices, especially Macs, have become so much more popular both with home users but also in the enterprise.

Tara Seals: Right. And on the mobile phone side, what have you seen in terms of what’s sort of the most prevalent type of malware out there?

Patrick Wardle: Yeah, and that’s a very interesting question and also interesting case study because iOS is an incredibly secure device, which is good because that means the average user is not going to get infected with adware or a computer virus. So again, overall very positive. The issue is, and this is kind of almost an interesting paradox, is as a device becomes so secure, you actually don’t really, as a security researcher or as a security tool developer, get a lot of insight into actual device. There’s no way for you to see what processes are running on your iPhone right? On the Mac there’s a myriad of ways to do that. So advanced adversaries, three-letter agencies or APT groups with a lot of money can procure or find zero-day exploits and we know they have them. And what they do is then they can utilize them against even fully patched iOS devices. And once they’ve successfully infected those devices, there’s essentially no way for you to determine if that device is infected or it’s been hacked because it’s such a secure locked down black box. So for advanced adversaries, the security of the device is something they can almost leverage to protect their exploits and their malware. So it’s kind of an interesting conundrum. I don’t know what the solution is for that.

Tara Seals: It’s ironic, isn’t it?

Patrick Wardle: Yeah. I think it’s an interesting thing to discuss.

Tara Seals: To be boxed in by your own security.

Patrick Wardle: Exactly. But for the average user, again, the security of iOS is incredibly beneficial. And this is why we don’t see a lot of ad ware or any really or very few malware cases targeting Apple’s mobile devices.

Tara Seals: Right, right, right. Interesting. Okay, well we’re going to have to leave it there. We’re out of time, but thank you so much for your time. I appreciate it.

Patrick Wardle: Yeah. Thank you for chatting. It was really awesome.

Tara Seals: Thank you. I’m Tara. I’m here with Patrick Wardle.

Patrick Wardle: Patrick Wardle.

Tara Seals: Thank you very much for joining us.


Suggested articles