Confiant Specialists discoveredthat malicious ad campaigns in the US, Italy and Japan are spreading Tarmac malware targeted at Mac users. The goals of the wrecker, as well as its functionality, have not yet been fully studied.
The attack begins with the malicious ad launching the malicious code in the victim’s browser and redirecting it to a site that displays pop-ups stating that the user needs to urgently install a software update (usually this is Adobe Flash Player). The users who fall into this trick, of course, receive not an update, but two malware at once: OSX / Shlayeras well as OSX / Tarmac.
According to Confiant, this Shlayer and Tarmac ad campaign has been active since January of this year. It is noteworthy that the researchers of the company wrote about Shlayer last winter, but then they were not able to find Tarmac. Now, experts have supplemented their report on this still active campaign and its payload.
Tarmac acts as a payload of the second phase of infection, that is, it comes into play after Shlayer. All versions of Tarmac discovered by the researcher turned out to be relatively old, and the management servers did not work by the time the malware was discovered (most likely, they were moved to another place). This made it difficult to analyze the threat, and the researchers were not able to fully understand how Tarmac works.
At the moment, it is known that Tarmac is finally installed on Shlayer-infected hosts, which collects information about the victim’s settings and equipment, and then transfers this information to its managing server. After the malware is waiting for new commands, but since the C&C servers did not work, it was not yet possible to determine the functionality of the malware. Experts believe that the threat can be very dangerous, able to download and install additional applications, and are going to continue the study.
Researchers add that Tarmac payloads are signed with legitimate Apple developer certificates, and as a result, Gatekeeper and XProtect do not stop the installation of the malware and do not display any warnings.