This story is over 5 years old.


Not Just Windows: Hackers Are Using Mac Malware to Track Iranian Activists

Where targets move, hackers will follow.

In response to more activists using Apple Mac computers instead of Windows PCs, suspected Iranian government hackers have apparently developed their own Mac-based malware, according to a new report from security researchers.

The finding highlights the constant ebb-and-flow of governments disrupting and tracking activist movements. As one group adopts a new tool or technique, state-sponsored hackers may need to adapt to get the information they're after.


Read more: How Researchers Exposed Iranian Cyberattacks Against Hundreds of Activists

"This demonstrates that Iranian actors are responsive to their environment," Collin Anderson, one of the security researchers behind the report, told Motherboard in an email. "As their targets move to alternative platforms, often in the interest of security, so too do the tools that Iranian actors develop in order to conduct their espionage campaigns."

Anderson authored the report along with Claudio Guarnieri, who are both part of Security Without Borders, a recently-launched initiative that aims to give advice and help to journalists and activists around digital security. This work is part of the pair's ongoing research on espionage attacks and the Iranian state-sponsored hacking ecosystem, and an upcoming paper for the Carnegie Endowment for International Peace.


A screenshot of MacDownloader. Image:

The researchers first found the malware—called MacDownloader by its designers—on a website impersonating US aerospace firm United Technologies Corporation. Guarnieri and Anderson had already linked this site to Iranian hacking campaigns, Anderson told Motherboard, and knew it was a staging area for Windows malware. One day it suddenly had Mac-specific references, he added.

The malware comes as a phony Flash update that targets themselves download, and the program then connects to an external server, presumably to grab more modules for the malware to use. At the same time, MacDownloader siphons some information from the system to a server the hacker controls, including the contents of the Mac's keychain folder and a list of installed applications. The malware also creates a fake prompt box asking for the operating system's username and password, before sending that information off too.


"Armed with the user's credentials, the attackers would then be able to access the encrypted passwords stored within the Keychain database. While Chrome and Firefox do not store credentials in Keychain, Safari and macOS's system service do save passwords to sites, remote file systems, encrypted drives, and other criteria resources there," the report reads. From here, the hackers may be able to break into a target's email and social media accounts.

At the time of writing, VirusTotal, a sort of search engine that compares results from different security products, does not flag MacDownloader as malicious; meaning that anti-virus programs may have a hard time detecting the malware. The malware appears to be poorly developed, with some of its code copied from elsewhere, the report adds.

Apart from the malware itself, a danger to activists is that they may assume they are safer using macOS, and be less vigilant when hackers try to attack them.

"If macOS users believe that they are not vulnerable due to migrating away from Windows, then they may be more susceptible to compromise as a result of dropping their guard," Anderson told Motherboard.

Anderson believes this campaign is linked to Charming Kitten, a suspected Iranian-government hacking group. Other security researchers have found Charming Kitten impersonating journalists, targeting the US and Israeli military, and trying to steal credentials from US congressional staff.

In one piece of evidence, a server linked to the malware was exposed, allowing the researchers a peek at what sort of data the hackers had collected. Interestingly, the hackers had seemingly connected to Wi-Fi networks called Jok3r and mb_1986; both names that are connected to previous Iranian hacking campaigns.

Get six of our favorite Motherboard stories every day  by signing up for our newsletter .