14 DAY TRIAL // Security researchers have observed an instance of the Adwind RAT dropping a Mac payload for the first time, but despite the crook's best efforts, in normal circumstances, the payload would rarely manage to infect any Mac users.
Adwind is a remote access trojan (RAT) that appeared at the start of the 2010s and has been advertised under several names, such as Frutas RAT, Unrecom RAT, AlineSpy, and most recently JSocket RAT.
This malware is written in Java, and as such, it has the capability of infecting all major operating systems where Java is supported, including Windows, Mac, Linux, and Android.
Adwind RAT dropping malicious JAR file on Macs
Until now, Adwind infections have been spotted numerous times on Windows and Android devices, with Mac and Linux being nothing more than a theoretical capability.
Researchers from Malwarebytes have discovered a recent version of the Adwind RAT, distributed as part of a malware distribution campaign spotted at the start of the month, which actually dropped a Mac-specific payload when infecting Mac devices.
Until now, researchers who run Adwind malware on Mac systems would often receive Windows-specific malware, which was incapable of causing any damage to Mac users.
Mac payload added a rogue launch agent
This time around, Malwarebytes' team says that, when executed, the JAR file received as spam added a new launch agent to the Mac that executed a binary from a hidden folder, which in one case even started the researcher's Web camera.
Outside snooping on your camera, Adwind has even more potentially dangerous features, such as the capability to download and install software, steal passwords, take screenshots of the user's screen, and upload stolen files to a server.
Despite all these scary features, Mac users are generally safe, according to Malwarebytes researcher Thomas Reed. "Adwind is, overall, a fairly weak effort on the Mac," he says.
In order to infect a victim, the researcher highlighted a few details that would make an Adwind infection on Macs a very improbable event.
Despite payload, infection would never occur in a real-world scenario
First, the researcher highlighted that the user needed to have Java installed to run the JAR file they received via email. Apple stopped including Java with OS X a few years back, and very few users still have this app installed on their computers.
This meant the user had to specifically download and install Java, which the researcher said is not a trivial task, mainly due to Oracle's complicated website.
After installing Java, launching the JAR file would trigger a GateKeeper warning, which the user would have to bypass via a complicated process. The warning would appear because the JAR file was not signed by a valid digital certificate.
If the user was so careless to carry out all these improbable operations, they would immediately detect something suspicious, because as soon as the victim executed the file, a quick terminal would flash in front of their eyes, and then nothing else. No fake document, no fake app GUI, nothing. This would immediately raise red flags with any user paying enough attention to their screen, which would then scan the system for malicious content or notify their system administrator.
So in spite of the fact that Adwind may be a cross-platform piece of malware and it may now be dropping Mac payloads, Adwind creators need to put a lot of work in modifying their infection mechanism if they ever want to really target and hijack Mac systems.
