Mac computers are thought to be one of the most secure personal computers in the market. However, a new malware has proved contrary to the claim after researchers have found a malvertising strain that infects Mac devices – it’s called Tarmac.
Security researchers have said that the Tarmac malware (OSX/Tarmac) is distributed to different Mac users through a sophisticated malvertising or malicious advertising campaign. The malicious ads run rogue codes in the infected device that redirects the user to a webpage showing popups peddling software updates.
The malicious web page will automatically download software updates disguised for Adobe Flash Player. When users are tricked into downloading the said Adobe Flash Player update and installing it in their computer will introduce two malware to their system: the OSX/Shlayer malware, which was spotted in the wild in January 2019, and through it, the Tarmac malware will then be installed afterward.
It is interesting to note that while MacOS screens for potential malware before allowing users to install them in their devices, the Tarmac’s vehicle, disguising as an Adobe Flash Player update, actually has an Apple developer certificate. This made it easier for the malware to persist amidst the security mechanism in Apple computers.
“Indeed, that’s not the official Adobe installer, but a fake Flash Player installer that was signed using an Apple developer certificate 2L27TJZBZM issued probably to a fake identity named: Fajar Budiarto,” said the researcher in a blog post.
The two malware actually works together in order to flood the infected device with spam advertising. Researchers found that the Tarmac malware served as a second-stage payload for the initial Shlayer infection and noted that the version they have found is a relatively old version – making it hard to determine what stage of evolution the malware is right now.
Adding to that is the fact that the command center of the Tarmac malware has already been shut down, making it hard for researchers to investigate the extent of the threat. The researchers said it is possible that the control and command center for the malware has moved to a totally different location.
Nonetheless, with the version of the malware that the researchers have analyzed, it was determined that the Tarmac malvertising software gathers details about a victim’s hardware setup and sends this info to its command and control server.
Researchers note that in theory, most second-stage malware strains carry dangerous operations and could be a potentially harmful strain. However, since the command and control server is still offline as of writing, the researchers are yet to determine the extent of its infection. It still remains a mystery.
Amidst the lack of full knowledge regarding the Tarmac malware, Taha Karim, a cybersecurity expert from Confiant and the one who discovered the malware strain, said that Tarmac has a very specific geo-targeting. Karim told ZDNet that it was geo-targeted at users located in the US, Italy, and Japan.
“We think actors proceed by trial and error, and they might have found a sweet spot in Italy, between the profit they can reap and the level of attention from the security community,” Karim told ZDNet.