Two New macOS Threats Could Be Hiding From Your Antivirus
Toggle Dark Mode
Following its discovery of “ModStealer” last September, Apple device management and security firm Mosyle has identified another pair of macOS nasties that fly under the radar of antivirus engines.
The Mosyle Security Research Team told 9to5Mac that it’s identified two previously undetected threats: Phoenix Worm, a cross-platform stager, and ShadeStager, a modular macOS implant created for credential theft. While the pair aren’t directly related, they do show how sophisticated Mac malware has become — and how the Mac is increasingly becoming an attractive target for the bad actors of the world.
Mac Malware has certainly evolved in recent years, with trojans and infostealers becoming the most popular methods over the last year or so. Hackers are no longer looking for the quick score, but are instead content to sit in the background, quietly stealing personal and financial information.
Phoenix Worm: The Stager
Phoenix Worm is a Golang-based multi-platform malware that acts as a stager. Stagers are lightweight initial payloads that quietly build a foothold in an operating system to prepare the device for a secondary wave of attacks.
According to Mosyle, the core functionality of Phoenix Worm is as follows:
- Establishes communication with a remote command-and-control server
- Generates unique identifiers for each infected system
- Transmits system data back to the bad guys
- Allows remote upgrades and additional payload execution
Mosyle told 9to5Mac that Phoenix Worm doesn’t appear to be a standalone threat, as its design indicates that it’s part of a larger toolkit, designed to hand off execution to more dangerous payloads down the attack chain.
At the time of Mosyle’s investigation, the macOS and Linux variants of the Phoenix Worm can’t be detected by antivirus engines on those platforms, although Windows antivirus engines have limited success in detecting the worm.
ShadeStager: The Credential Thief
ShadeStager is designed to extract high-value data from systems that have been exploited by tools like Phoenix Worm. While this makes ShadeStager seem like a perfect second-stage attack, Mosyle says it’s not connected to Phoenix Worm.
The firm says ShadeStager seems to target developer environments and cloud infrastructure. Specifically, it looks for:
- SSH keys and known hosts
- AWS, Azure, and GCP cloud credentials
- Kubernetes configuration files
- Git and Docker authentication data
- Browser profiles
The malicious bit of code also pulls user and privilege info from the host, collects OS and hardware details, environment variables, network configuration, and more tied to cloud and SSH sessions. Everything is handled over HTTPS — so it looks like normal web traffic — offering the ability to execute commands, exfiltrate data, and download files.
Mac admins who would like to add these two new threats to their security tools will be glad to know that Mosyle has shared the following SHA256 hashes:
- ShadeStager: 7e8003bee92832b695feb7ae86967e13a859bdac4638fa76586b9202df3d0156
- Phoenix Worm: 54ef0c8d7e167053b711853057e3680d94a2130e922cf3c717adf7974888cad2
Oddly enough, Mosyle researchers were able to view portions of the malware’s code without doing any additional work to reverse engineer binaries, indicating that the malware code they intercepted was still under development when discovered, which also means that it may continue to evolve beyond the above versions.
