How a new malware campaign targets Mac users and evades detection
MacOS is generally perceived to be more effective at keeping malware out compared to PCs and other operating systems. However, that's not the reality; MacOS is just as vulnerable to malware threats as any other operating system, and this misconception can lead you to not be as vigilant regarding malware threats.
As evidence, there's a new one you need to be aware of called SpectralBlur, which is a sophisticated backdoor malware threat targeting Macs that's capable of wiping out your files without you even knowing how and when it got there in the first place.
Woman typing on a Mac (Kurt "CyberGuy" Knutsson)
What is SpectralBlur?
SpectralBlur is a backdoor malware that was created by Lazarus, a hacking group from North Korea. Lazarus has been behind several hacks, including KandyKorn, which targeted blockchain engineers in cryptocurrency.
For quite some time, SpectralBlur went undetected because antivirus software on Mac wasn't able to pick up on it. It wasn't until August 2023 that it was uploaded to VirusTotal — a virus detection software — published this new malware threat, and it gathered attention in the cybersecurity community. It's even being called "The First Malware of 2024" and was dissected originally by Greg Lesnewich.
MacBook, iPad and iPhone (Kurt "CyberGuy" Knutsson)
MORE: HOW TO PROTECT YOUR MAC FROM THE NEW METASTEALER MALWARE
What is SpectralBlur capable of?
Because SpectralBlur is a backdoor malware, it means that instead of having to go through normal authentication procedures — where most malware would get detected — the malware gets into your system in several ways. It could be vulnerabilities in your system, a phishing attack, malicious links/downloads or other tactics.
Objective-See’s security researcher Patrick Wardle also analyzed SpectralBlur and came to similar conclusions as Lesnewich. Once it's installed, the hacker can grant themselves remote access to your macOS. This gives the hacker the ability to access files and databases on your server. With this access, they can remotely tell it to do whatever they want, for however long they go unnoticed.
From uploading files from your computer into their server, downloading files from the hacker's server to yours, or deleting files on your computer, they can steal your sensitive information, documents, images, etc., and use them for all sorts of purposes. They can also deploy additional malware (again, without you necessarily realizing it).
Woman on a Mac computer (Kurt "CyberGuy" Knutsson)
MORE: BEWARE OF THIS MAC MALWARE MASQUERADING AS AN OFFICE PRODUCTIVITY APP
How does SpectralBlur get onto my system and how does it work?
Once SpectralBlur gets initial access, it uses a pseudo-terminal to execute shell commands, which essentially means it can run any command on the macOS system as if the attacker were physically using the computer. It does this via a remote command-and-control (C&C) server, using RC4-encrypted socket communication.
Because this communication is encrypted, it makes it difficult for security systems to detect and analyze the malware's network activity. This encryption helps it stay hidden by masking the data being sent and received as harmless to your system. Of course, that's not the case; it's potentially wreaking havoc without you knowing.
Why does North Korea want access to my computer?
Good question. This isn't something we'll cover in depth here, but essentially the idea is because North Korea has so many sanctions on it, hackers are motivated to execute their hacks by money and information. When they can steal funds in cryptocurrency, they can use that money to fund the regime.
MORE: TIPS TO FOLLOW FROM ONE INCREDIBLY COSTLY CONVERSATION WITH CYBERCROOKS
How did SpectralBlur go undetected for so long?
There are a few ways that SpectralBlur goes undetected, especially once it's gotten access to your system:
To start, it utilizes Mac's sleep and hibernate commands, which allow it to lay dormant within a system. This capability not only helps it avoid suspicions but also makes it difficult for users and antivirus programs to recognize it's there. It's also able to avoid detection by wiping your files and overwriting them with zeros. This method ensures that once it has accessed or created files, they can be completely erased without a trace. So, not only is it deleting your files, it's getting away with it.
Last but not least, SpectralBlur can update its configuration as it goes. In layman's terms, it's quite agile and quick on its feet. By being able to adjust its tactics on the fly, SpectralBlur can stay hidden.
How can I catch it?
Because SpectralBlur is so sneaky and smart, you might be wondering how Mac users recognize that SpectralBlur is on their system. After all, it evaded virus detectors and cybersecurity experts for quite some time, so the average person shouldn't be expected to figure it out.
Ultimately, there are a few ways to know if SpectralBlur — or other backdoor malware — may be on your computer:
Unusual system behavior: If you notice your system is acting slower than usual, apps crashing frequently, your system's settings have changed without you doing it yourself, or just the feeling that something isn't right, there could be malware on your computer.
Increased CPU or network usage: An unexplained increase in CPU or network usage can also be a red flag. SpectralBlur might be using resources for malicious activities, which means more work on your system than usual.
Suspicious files or applications: Those of you who regularly check your system might find unfamiliar files or applications. While SpectralBlur tries to clean up after itself, certain actions or additional malware installations might leave some traces (albeit not on purpose).
Identity theft: Unfortunately, some users might only realize they've been a victim of SpectralBlur or a similar malware attack when their data has been breached. Hopefully, though, it won't get to this point.
How to protect your macOS from SpectralBlur malware
SpectralBlur is an advanced piece of malware, but there are ways you can protect yourself.
1) To begin with, be sure to update your operating system regularly. Check to see whether or not you're running the latest version of macOS. If you aren't, do an update.
2) Install a reliable antivirus software for an additional layer of protection. The absolute best way to protect yourself from having your data breached is to have antivirus protection installed on all your devices. Having good antivirus software actively running on your devices will alert you of any malware in your system, warn you against clicking on any malicious links in phishing emails, and ultimately protect you from being hacked. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.
3) Always be cautious when opening email attachments or downloading files, especially from untrusted sources.
4) Use identity theft protection. Identity Theft protection companies can monitor personal information like your home title, Social Security Number, phone number and email address and alert you if it is being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. Read more of my review of the best identity theft protection services here.
5) Although having malware in your system is a cause for concern for bigger things like identity theft, one of the most upsetting results of a SpectralBlur infection for most users is the fact it can delete files on your macOS. No one wants to wake up one morning to find out that their docs, photos, notes, videos and whatever else you have saved to your computer are gone.
Despite the fact you can't prevent this 100%, you can make sure to hold on to your files. Do this by initiating regular backups of important data. In the event of a malware infection, having up-to-date backups can save all of your important data.
Man on a Mac computer (Kurt "CyberGuy" Knutsson)
Kurt's key takeaways
The whole reason that backdoor malware like SpectralBlur is so damaging is that it can exist on your system for a long time without getting noticed, deleting all your files and data in the process. Unfortunately, by the time it is detected, it may be too late. So, please do yourself a favor and protect your Mac as best as possible using the security tips we mention, like installing antivirus protection and backing up your information.
Have you — or has anyone you know — detected SpectralBlur or other backdoor malware on their macOS? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips & security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you'd like us to cover.
Answers to the most asked CyberGuy questions:
- What is the best way to protect your Mac, Windows, iPhone and Android devices from getting hacked?
- What is the best way to stay private, secure and anonymous while browsing the web?
- How can I get rid of robocalls with apps and data-removal services?
Copyright 2024 CyberGuy.com. All rights reserved.
Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.