Adwind RAT has been detected adding Mac systems to its target list but the payload it has been dropping on Macs could barely do any harm to its users.
Since 2010 when it first appeared, the researchers have come across the remote access Trojan under a few different names, such as Unrecom RAT, Frutas RAT, Aline Spy, and most recently JSocket RAT.
Written in Java, the Trojan has the ability to infect all Java-supportive operating systems including Android, Windows, Linux and Mac. However, until now, the malware used by the crooks behind Adwind was unable to infect Macs. Android and Windows, on the other hand, have been targeted multiple times.
And yet, at the start of the month Malwarebytes researchers discovered a new version of the Adwind RAT which is actually capable of damaging Mac devices. The victim receives a spam message with the JAR file attached which, when executed, adds a new launch agent to the Mac that runs a binary from a hidden folder.
Once this happens, Adwind could not only run and look through the victim`s camera files, but it could also steal data and upload it to a server, download and install software or take screenshots of the user`s screen.
Even with all these dangerous capabilities, according to Malwarebytes researcher Thomas Reed, Mac users are not at that much of a risk. “Adwind is, overall, a fairly weak effort on the Mac” he states.
Reed highlights the event and actions that must have occurred first in order for the Mac infection to be successful, although he does not believe this could ever happen.
First, in order for the JAR file to be run, the user needs to have Java installed which is no longer included in OS X and very few people still use it. Not to forget the fact that actually downloading and installing Java is not that common anymore because of the Oracle’s complicated website.
Second, even if Java is installed and running, executing the JAR file would activate a GateKeeper warning because the file was not signed by a valid digital certificate. This should attract the user`s attention and make them stop the process immediately.
Last, even if the user somehow has gone through all these suspicious operations, the moment when the file is executed a quick terminal would flash on their screen, and then nothing else. There would be no phony documents or files, no phony app GUI. At this point, anyone who pays enough attention to their screen would be suspicious enough to scan the system or inform their system admin.
So, despite the cybercriminals` best efforts, the Mac payload dropping and cross-platform malware is still considered pretty useless and a lot of modifications will be needed if they ever want to succeed in infecting Mac devices.