A new strain of malware was found by security researchers that targets the macOS users. The malware which has been named as Tarmac (OSX/Tarmac) was distributed to macOS users via online malvertising campaigns.
These malicious ads insert malicious codes inside a Mac user’s browser to redirect the victim to sites showing popups suggesting software updates, usually for Adobe’s Flash Player.
Those victims who fell for this and downloaded the Flash Player update would end up with installing a pair of malware on their systems — first the OSX/Shlayer malware, and then OSX/Tarmac, launched by the first.
According to Taha Karim, a security researcher at Confiant, this malvertising campaign distributing the Shlayer and Tarmac combo started in January this year.
They also published a report about campaign during that time but they only found the Shlayer malware, but not Tarmac.
Later in a follow-up report published two weeks ago, Confiant worked deeper on the malvertising campaign and its payloads. That was how Karim found Tarmac but the Tarmac versions identified were relatively old. The malware’s original command and control servers had been shut down or moved to a new location. This made it difficult for the researcher to get full insight into how Tarmac operated.
It is known that after Shlayer downloads and installs Tarmac on infected hosts, Tarmac gathers details about a victim’s hardware setup and sends this info to its command and control server.
At this point, Tarmac would wait for new commands. As these servers were not available, Karim wasn’t able to determine the full scope behind Tarmac.
Usually most second-stage malware strains are very powerful having many intruding features. However, for the time being, the purpose and full featuresof the malware remains a mystery.
According to Karim, the malvertising campaign that distributed the Shlayer and Tarmac combo was geo-targeted at users located in the US, Italy, and Japan.
The US and Japan are regular targets for malvertising and malware campaigns but Italy is an odd choice.
Since Tarmac payloads come signed by legitimate Apple developer certificates, features like Gatekeeper and XProtect won’t stop its installation or show any errors.