Yes, Windows devices are still very much a business favorite—but the adoption of macOS devices has been steadily ticking upward. Threat actors have noticed.
More macOS malware variants have cropped up over the years, ranging from frustrating adware (like Adload) to insidious spyware (like LightSpy). The LockBit ransomware group has even dabbled with a macOS ransomware variant.
Apple has taken several steps over the years to build security measures into its platform, including Gatekeeper and the Transparency Consent and Control (TCC) framework. These features help end users better manage access to their sensitive data and can help detect malware lurking on their systems—but threat actors are also continually finetuning their attacks to get around them.
In our recent April Tradecraft Tuesday episode, Stuart Ashenbrenner, Huntress macOS researcher (and our designated Mac Guy), and Patrick Wardle, founder of DoubleYou and Objective-See, reunited to dig in to the security protections that Apple has employed for macOS, and how threat actors are responding to these measures by attempting to bypass them. Below are some of the key takeaways from the episode.
Malware persistence on macOS...well, persists
Malware authors continue to employ persistence mechanisms for macOS, but those techniques have sometimes changed over time, particularly in response to some of Apple’s built-in security features.
First, a quick primer on persistence: threat actors use various techniques to maintain persistent access on devices, even after they’ve been rebooted. You may be aware of the persistence techniques used by malware targeting Windows devices—but macOS and Windows devices use very different services and background processes. That means that instead of using Windows services or the registry for persistence, macOS malware will instead use different processes.
These have most typically been Launch Items in macOS, including Launch Daemons, which are property list files (plist) on various locations on the disk that are executed at the system level, and Launch Agents, which require a user session and execute specific binaries from plists.
For malware analysts and security researchers, persistence provides a good detection mechanism for malware, because unlike initial access vectors—which vary widely from vulnerability exploitation to compromised credentials - there are a more limited number of persistence methods available.
Apple has specifically tracked persistent items in macOS through Background Task Management (BTM), which was introduced in 2022 and keeps tabs on persistence items in a BTM database. BTM creates macOS alerts for end users if it detects persistent items, and these are also broadcast as endpoint security events to third-party security tools.
At the same time, however, malware authors are aware of built-in Apple features like BTM. In response, they are looking for ways to either skirt around persistence detection mechanisms or to build their attacks around them. We can see one example of this through a recent increase of threat actors using cron jobs, which can be used on Linux and macOS systems to schedule commands. BTM doesn’t directly cover cron jobs if they are loaded in a certain way (via AdLoads), and we’re seeing a resurgence of legacy adware using cron jobs via AdLoads as a way of persistence.
We’re also seeing malware authors target apps or services that users regularly launch (such as replacing the Dock icon with their own malware). While this won’t automatically run on reboot (and therefore isn’t as consistent as something like a Launch Agent) it will still run if a user clicks on it, and because it isn’t governed by BTM it helps threat actors sidestep detection.
Threat actors in some cases are even shying away from using persistence if their attacks don’t necessarily need to use these types of techniques, which might be the case with certain infostealer or ransomware attacks.
TCC pain points: Alert inundation, bypasses, and more
TCC is Apple’s database on disk for prompting users when an application tries to perform an action that requires their specific permission. TCC is behind the prompts that ask users if video collaboration software can access their devices’ webcams or microphones, for example. After they give permission, the application is then given consent to carry out that action via system preferences.
TCC is a good idea from a security perspective, but its design and implementation has led to several UI impacts. End users are often inundated with security alerts tied to various permissions, even for security tools that have been signed with Developer IDs and notarized by Apple (meaning that they have gone through a process where Apple examined them closely to determine they’re not malware).
Another caveat of the TCC process—as we’ve previously discussed—is related to mobile device management (MDM) overrides. MDM providers can provision TCC permissions, which means that end users don’t have to see all the TCC-related security prompts. However, these settings aren’t reflected in the System Settings and instead end up living in the MDM binary property list (MDMOverrides.plist) rather than a TCC database (TCC.db). This can cause discrepancies between what the MDM is showing end users versus what the endpoint is showing them.
There are also many ways for threat actors to get around TCC, as we’ve seen through the many disclosures of macOS vulnerabilities in Apple’s security updates. XCSSET, which is macOS malware that was uncovered a few years ago and has various capabilities (from stealing victims’ app information to taking screenshots) was previously found exploiting CVE-2021-30713, a vulnerability allowing threat actors to bypass the TCC framework, for instance.
TCC endpoint security events and gatekeeper changes
In Apple’s newest operating system release, it added TCC events to its endpoint security framework. Endpoint security is Apple’s process for monitoring system events for potentially malicious activity, released in macOS 10.15. The framework sends notification alerts after a new process has been spawned, but also delivers authorization event alerts before a process occurs (which allows security tools to inspect processes in case they want to prevent it).
As of macOS 15.4, endpoint security is now alerted of TCC prompts (via the ES_EVENT_TYPE_NOTIFY_TCC_MODIFY identifier), giving third-party security tools better visibility into TCC permissions that have been modified or changed. These events are currently reactive, meaning that notifications happen after they occur, but the more proactive authorization event functionality - which could allow security tools to inspect permissions before they’re granted - has not yet been built in.
Still, this development helps crack down on macOS malware that tries to bypass TCC through bombarding users with TCC prompts or masquerading as legitimate software. Previously, we’ve seen malware authors play on the fact that end users can be tricked into granting permissions via TCC alerts (particularly if they’re inundated with so many alerts).
Apple has also made tweaks to Gatekeeper, its technology that double checks if apps contain known malware or whether developer signing certificates have been revoked. One previous issue impacting Gatekeeper was that macOS users could easily sidestep this security feature by right-clicking or through the “Open Anyway” option in System Settings in order to execute potentially malicious applications. Threat actors behind macOS malware like the Shlayer adware dropper have used this weakness in their attacks.
However, more recently Apple has tweaked Gatekeeper’s functionality, so if macOS users download a piece of software that’s not signed, they are warned that Apple can’t verify that it’s free of malware and are only given two options if they either attempt to right-click or visit System Settings: a “Done” option to do nothing or a “Move to Trash” option.
These examples show Apple’s ongoing attempts to improve its security features in order to make them more difficult for threat actors to bypass in attacks.
Understanding macOS malware: Growth and trends
Generally, as technology becomes more prolific, threat actors take notice of that—and we’re seeing that with macOS as Macs become more common in the enterprise. While macOS malware has seemed to dramatically increase year-over-over, tracking specific numbers that point to this growth is difficult, especially because as researchers write new detections, we inherently start to see more.
However, we do see some overarching trends that are indicative of how more threat actors are targeting macOS platforms overall. For example, threat actors in some cases are porting their malware that’s been targeted for Windows or Linux platforms to macOS (either via cross-platform frameworks or by rewriting the malware natively for macOS).
We’re also seeing a rise in living-off-the-land techniques specifically focused on macOS. Infostealers like Poseidon are abusing the AppleScript framework—a scripting language that offers the capability to automate tasks—to simulate prompts that mimic native Apple prompts, with the goal of stealing end user credentials.
At the end of the day, threat actors continue to look for new ways to target macOS platforms and skirt around Apple’s built-in security protections. There are many ways to secure your Mac, like using third-party tools and keeping your OS and applications up to date.
For more details about macOS malware trends and to better understand the impacts of Apple’s new TCC events support in endpoint security, watch the full version of our April Tradecraft Tuesday episode!
