The Rise of Mac Malware: 2024 Threat Report Reveals Alarming Trends

by do son · December 8, 2024

For years, macOS enjoyed a reputation as a secure platform, relatively untouched by malware. However, a 60% surge in macOS market share over the past three years has made it an attractive target for cybercriminals, as highlighted in the 2024 macOS Threat Report from Moonlock Lab. The report provides a sobering look at the growing variety and accessibility of macOS malware, including the alarming rise of Malware-as-a-Service (MaaS) and the role of artificial intelligence in malware development.

Cyberattacks targeting macOS increased significantly in 2024, driven by advancements in attack techniques and the growing availability of malicious tools on the darknet. The report notes, “The darknet was flooded with posts and discussions on bypassing macOS defenses, leveraging AI tools for malware development, and capitalizing on social engineering to distribute macOS malware-as-a-service (MaaS).”

With MaaS offerings lowering the barrier for attackers, macOS threats are becoming more widespread and diverse. The once-high costs of macOS malware development have plummeted. A MaaS subscription, which previously cost tens of thousands of dollars, can now be acquired for as little as $1,500 per month.

A particularly concerning trend is the use of artificial intelligence to simplify macOS malware creation. Threat actors are leveraging tools like ChatGPT to develop malware with minimal technical expertise. One example cited in the report involves a Russian-speaking actor, “barboris,” who documented their process of using AI to create a macOS stealer. Moonlock Lab states, “This highlights a troubling shift: AI is empowering inexperienced individuals to create malware.”

AI-assisted tools can guide attackers in critical steps, including packing malware with PyInstaller, creating DMG files, extracting Keychain data, and targeting cryptocurrency wallets.

The rise of MaaS has made macOS malware more accessible and scalable. The report spotlights AMOS Stealer, a prominent MaaS offering, which exemplifies how MaaS ecosystems operate. Initially offered for $1,000 per month by the developer “atomicseller,” AMOS includes tools such as:

A malware builder for customizing payloads.
An administrative panel to manage stolen data like cookies, passwords, and credit card information.
Features for targeting Keychain data and cryptocurrency wallets.

Moonlock Lab describes AMOS as a “game-changer,” noting its impact on the malware economy. Affiliates use methods such as fake GitHub repositories and Google Ads poisoning to distribute the malware. Once data is stolen, it is monetized through marketplaces like COOKIE.PRO, where the AMOS developer is believed to have direct ties.

While macOS malware still lags behind Windows in sophistication, it is evolving rapidly. The report highlights:

Stealers: Among the fastest-growing categories, with significant spikes in October 2024. Obfuscation techniques are improving, allowing malware to evade detection.
Adware: Despite a drop in sample numbers, adware remains the most detected macOS malware, accounting for 73.37% of all detections in 2024.
Exploits and Backdoors: Coordinated campaigns deploying exploits and backdoors saw spikes in April, signaling an increase in targeted attacks.

To combat these rising threats, Moonlock Lab advises macOS users and administrators to:

Stay Updated: Ensure macOS systems are running the latest updates and patches.
Educate Users: Raise awareness about social engineering tactics, such as Gatekeeper bypass guides used to trick users into installing malware.
Deploy Robust Security Tools: Use advanced endpoint protection capable of detecting emerging threats, including MaaS-based malware.

Moonlock Lab warns, “With tools becoming cheaper and easier to use, macOS threats are no longer as rare as they used to be.”