AI-Powered Mac Malware: The Rising Threat in 2024

Hackers are building bespoke Mac malware using GenAI

Social engineering continues to be the most common attack method Cybersecurity experts from Moonlock are warning of the increasing prevalence of sophisticated macOS malware created with the help of generative AI. In its 2024 Threat Report, Moonlock explored how publicly available tools like ChatGPT have enabled hackers to work around the technical barriers they were previously subject to in order to create malicious software more quickly. The research found screenshots posted to darknet forums showing hackers using artificial intelligence to guide them through the development of Mac-bound malware step by step. Among the examples given was a case involving Russian-speaking threat actor 'barboris,' who admitted to building macOS malware without any prior coding experience thanks to generative AI. With natural language prompts, barboris was able to create an infostealer capable of targeting Keychain credentials and cryptocurrency wallet information. The reported summarizes: "The barrier to entry is lower than ever, and AI has become a new ally for cybercriminals seeking to launch macOS-focused campaigns." Moonlock explains that the rise of malware-as-a-service (MaaS) has also made macOS malware more accessible than ever. Cheapening MaaS options are lowering the barriers for attackers and making macOS malware more common that it used to be. The researchers claim that the rise of MaaS has made cybercrime into a collaborative effort, creating new roles for creators and distributors. Previously, Apple's desktop operating system was favored over its Windows counterpart for being less susceptible to cyberattacks, however the researchers explained that the notion that macOS is still as safe is now a dated one. Users are being advised to treat macOS as they would any other operating system or internet-connected device, by keeping software updated with security patches, only downloading apps from trusted sources such as the Mac App Store, and installing renowned third-party security tools. However, while the threat environment may be shifting, social engineering remains the most common way of forcing entry, and all users should be wear of handing out sensitive information unless it is absolutely necessary. "We expect a surge in the variety of stealers targeting macOS in 2025," noted Mykhailo Pazyniuk, Malware Research Engineer at Moonlock. "During 2024 we've observed different threat actors trying to bypass Apple's protection mechanisms, emphasizing on users as the weakest link in this attack chain. Therefore, threat actors haven't bothered much with finding exploits in macOS itself just yet." "One thing is certain - since many stealers eventually did their job and managed to exfiltrate sensitive user data and their crypto assets, the market of MaaS and macOS exploits will continue to grow in 2025, possibly offering more ways to stay undetected for antivirus software," Pazyniuk said.

Security Bite: Threat actors are widely using AI to build Mac malware - 9to5Mac

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple. Each year, Moonlock Lab, the cybersecurity research wing of the widely popular Mac app maker MacPaw, releases an annual report detailing the current state of the macOS threat landscape. On Tuesday, Moonlock Lab released its 2024 Threat Report, detailing how AI tools like ChatGPT are helping to write malware scripts, the shift to malware-as-a-service (MaaS), and other interesting statistics it is seeing through internal data. It's been long speculated that threat actors have been working hard behind the scenes to turn AI tools into AI accomplices. Now it appears we've gotten our first-look at how it's being done. Screenshots from darknet forums show that attackers are using AI tools, such as ChatGPT, to guide them through complex malware creation processes. A notable example is a Russian-speaking threat actor known as "barboris," who openly shared their experience of developing a macOS stealer without any prior coding experience. "With just a few prompts, attackers can generate scripts and implement advanced techniques that would have required significant expertise in the past. The barrier to entry is lower than ever, and AI has become a new ally for cybercriminals seeking to launch macOS-focused campaigns," Moonlock Lab states in its report. This situation is alarming for several reasons. Mainly: what once required significant technical expertise can now be accomplished by virtually anyone with internet access. This year, it's likely we are witnessing a fundamental shift in malware development. No longer is this a trade for exclusively for skilled programmers. In essence, this represents the decentralization of cybercrime. However, working with code can still be challenging for criminals. This is where MaaS has a hold. The darknet has experienced a surge in discussions around bypassing macOS defenses and distributing malware-as-a-service (MaaS) in 2024, according to the report from Moonlock Lab. Currently, cyber gangs like AMOS operate as highly profitable MaaS businesses. In this model, malware developers (or operators) create the software, while affiliates, typically those with less technical knowledge, pay to access the malicious package and direct it toward their chosen targets. A sought after solution for affiliates (criminals) with near-zero technical ability. These affiliates would pay a fee to "license" the malware package. This can either be a one-time payment or a more affordable recurring subscription. Operators dealing in ransomware -- known as Ransomware-as-a-Service -- often take a cut from any ransom payment received. According to Moonlock, the rise of MaaS has lowered the entry barrier for cybercriminals, with services that previously cost tens of thousands now available for around $1,500 per month. This price drop is likely due to increased competition, as there has been a surge in MaaS providers like RansomHub. If you're a regular reader of Security Bite, you probably already know some of this information. However, the best advice remains the same: keep your software up to date, only download apps from trusted sources, and consider using a third-party security solution for added protection. I personally recommend MacPaw's CleanMyMac, which offers real-time malware detection. The days of believing that "Macs don't get viruses" are long gone. For more detailed info, I highly encourage you to check out Moonlock Labs' full report.

What a new threat report says about Mac malware in 2024

If you buy through our links, we may get a commission. Read our ethics policy. Apple's macOS has been under siege in 2024 as malware-as-a-service platforms and AI-driven threats make the year a turning point for Mac security. For years, macOS had a reputation for being malware-resistant, but 2024 has painted a different picture. A surge in malware targeting macOS users -- fueled by the rise of malware-as-a-service (MaaS) platforms and even artificial intelligence -- is changing that narrative. Moonlock's 2024 macOS Threat Report reveals alarming trends that are turning Apple's platform into a lucrative target for cybercriminals. The report dives into the evolving tactics attackers are using, from cheap, plug-and-play malware kits to sophisticated AI-generated exploits that bypass key protections. However, many of the attacks aren't due to flaws in the system. Instead, they result from users disabling the built-in safeguards or being deceived into installing malicious software, either intentionally or accidentally. Cybercriminals used to largely ignore Macs due to their lower user base, but they now see the platform as another opportunity, besides the eternally plagued Windows. What's troubling is how accessible the tools for exploiting macOS vulnerabilities have become. A decade ago, creating malware for the platform required deep technical skills and computing resources. Now, malware-as-a-service platforms like AMOS Stealer are lowering the barrier to entry. For as little as $1,500 a month, even inexperienced hackers can buy a toolkit that automates the process of stealing user data. The affordability has opened the floodgates. Another factor fueling the malware surge is the use of artificial intelligence. As Moonlock reveals, AI tools like ChatGPT are being used on darknet forums to guide hackers through the malware creation process, step by step. These tools can generate scripts, pack malware into installation files, and even teach attackers how to bypass macOS's Gatekeeper protections. AI-assisted malware lets even novices deploy threats that would have been out of their league just a few years ago. Attackers bypass macOS's Gatekeeper protections through social engineering and technical manipulation, exploiting user trust and system vulnerabilities. These cybercriminals trick users into disabling Gatekeeper with fake prompts or detailed instructions claiming to install legitimate software. Malware disguised as trusted apps or system updates overrides security warnings. In some cases, attackers obtain or steal valid Apple Developer certificates to sign their malicious software, bypassing Gatekeeper's verification. Mac threats have been dominated by adware and ransomware for years. These tools, designed to annoy or extort users, were effective until 2024. Adware campaigns are less lucrative due to improved user awareness and better protections. Ransomware on macOS hasn't achieved the same level of sophistication or success as on Windows. Instead, hackers are turning to Stealers -- malware designed to quietly gather sensitive data like passwords, cookies, and cryptocurrency wallet details. In August 2024, security researchers discovered "Cthulhu Stealer," a new macOS malware sold to cybercriminals for as low as $500 per month. The malware disguised itself as legitimate software like Grand Theft Auto IV or CleanMyMac to trick users into downloading and installing it. Once installed, it prompted users to enter sensitive information, which it transmitted to attackers. Cthulhu Stealer shared similarities with "Atomic Stealer," suggesting the developers reused the code. Another stealer in August was "Banshee Stealer." It collected extensive information from infected systems, including system details, passwords, and specific file types. It used evasion techniques like identifying virtual environments and APIs to avoid detection, especially on Russian-speaking systems. The malware was distributed as a premium tool on underground forums, with a steep price tag of $3,000 per month, indicating its sophistication and intended use by serious cybercriminals. However, there is no clear indication that Apple has patched Banshee. Meanwhile, in September 2024, cybersecurity experts discovered a new macOS threat called HZ Remote Access Tool (HZ RAT). The malware granted attackers full administrative control over infected systems. HZ RAT was typically distributed through tampered versions of popular applications like OpenVPN Connect. Once installed, it installed additional software, captured screenshots, logged keystrokes, and accessed user data from apps like WeChat and DingTalk. The malware also established persistent system access by creating scheduled tasks or modifying startup scripts, ensuring it reloaded after reboots. It communicated with command-and-control servers in China to transmit stolen data and receive instructions. HZ RAT allowed attackers to install additional payloads, escalating activities like deploying ransomware, exfiltrating sensitive data, or using the infected system in a botnet. HZ RAT's multi-stage capability made it a versatile and dangerous tool. Understanding how attackers exploit vulnerabilities and their evolving methods is one way to stay protected. Hackers can employ tricks to convince users to manually override macOS safeguards, such as presenting fake prompts that appear legitimate. Social engineering bypasses Gatekeeper entirely, giving malware free rein once installed. For users who have long trusted macOS's built-in protections, this is a wake-up call to scrutinize every pop-up and prompt. Beyond social engineering, attackers are leveraging powerful tools to gain a foothold on macOS devices. Backdoor malware, which enables persistent access to systems, saw a significant spike in activity in 2024. These backdoors often work in tandem with exploits -- software vulnerabilities that attackers use to breach a system's defenses. Moonlock's data revealed sharp increases in these coordinated attacks, particularly during targeted campaigns in April 2024. Apple addressed vulnerabilities highlighted in Moonlock's 2024 macOS Threat Report. In November 2024, it released updates for iOS 18.1.1 and macOS Sequoia 15.1.1 to patch zero-day vulnerabilities (CVE-2024-44308 and CVE-2024-44309) in JavaScriptCore and WebKit. Additionally, in September 2024, Apple addressed a vulnerability that allowed malicious actors to bypass Gatekeeper protections using specially crafted ZIP archives. While Stealers are on the rise, their effectiveness is limited compared to sophisticated Windows attacks. Mac's architecture and default protections pose significant hurdles for hackers. Most Stealers lack advanced obfuscation and persistence mechanisms, relying on basic user errors. For users who keep systems updated, use the Mac App Store, and disable security features, the risk is low. Apple takes these threats seriously, with updates like removing "Control Click" and patches for Gatekeeper bypass vulnerabilities. Combined with improvements in XProtect and regular system updates, the Mac's defenses remain strong. The macOS malware scene in 2024 is complicated. On one hand, tools like Cthulhu Stealer and AMOS Stealer sound alarming. But when you look closer, there's not much evidence of massive, wide-scale attacks. Most of the activity involves small-scale incidents or theoretical risks rather than widespread damage. That said, the perception of macOS security is shifting. However, it's still possible to keep yourself protected. Many attacks rely on social engineering, tricking users into bypassing their own security settings. Protection on Mac means scrutinizing every system prompt, avoiding suspicious downloads, and steering clear of unknown links. Users should also rely on trusted sources, such as the Mac App Store, for software downloads and double-check permissions requested by installed applications. Keeping software up to date is another cornerstone of security. Apple regularly releases patches to address vulnerabilities. Installing updates ensures that your system benefits from the latest defenses against active exploits. Investing in additional protection is worth considering. Tools like endpoint detection and response (EDR) software or reputable antivirus solutions can provide an extra layer of defense. Education is also important. Staying informed about the latest security threats can empower users to make better decisions. The Moonlock report reveals a shift in how attackers view macOS. As the platform's user base grows, it has naturally become a bigger target for cybercriminals. This isn't because macOS is inherently less secure than it once was, but because attackers see more value in targeting it. The tools and techniques for bypassing macOS protections have also become more accessible, making it easier for even less experienced attackers to go after users. A key takeaway is how much these attacks depend on user behavior. Many successful breaches don't rely on advanced exploits but instead take advantage of users who bypass protections like Gatekeeper or fall for phishing schemes. Malware like AMOS and Cthulhu Stealer thrives on user trickery into granting permissions or downloading seemingly legitimate software. Staying informed about threats, avoiding untrusted downloads, and enabling system protections are crucial for macOS users.