Mac malware, possibly made in Iran, targets US defense industry

“Just because you’re using a Mac doesn’t mean you’re safe from hackers,” Michael Kan reports for IDG News Service. “That’s what two security researchers are warning, after finding a Mac-based malware that may be an attempt by Iranian hackers to target the U.S. defense industry.”

“The malware, called MacDownloader, was found on a website impersonating the U.S. aerospace firm United Technologies, according to a report from Claudio Guarnieri and Collin Anderson, who are researching Iranian cyberespionage threats,” Kan reports. “The fake site was previously used in a spear phishing email attack to spread Windows malware and is believed to be maintained by Iranian hackers, the researchers claimed.”

“Visitors to the site are greeted with a page about free programs and courses for employees of U.S. defense companies Lockheed Martin, Raytheon, and Boeing,” Kan reports. “The malware itself can be downloaded from an Adobe Flash installer for a video embedded in the site. The website will provide either Windows or Mac-based malware, depending on the detected operating system.”

“The MacDownloader malware was designed to profile the victim’s computer, and then steal credentials by generating fake system login boxes and harvesting them from Apple’s password management system, Keychain. However, the malware is of shoddy quality and is ‘potentially a first attempt from an amateur developer,’ the researchers said,” Kan reports. “The malware failed to run a script to download additional malicious coding onto the infected Mac. But despite the shoddy quality, the malware still managed to evade detection on VirusTotal, which aggregates antivirus scanning engines.”

Read more in the full article here.

MacDailyNews Note: If you receive what you believe to be a phishing email purporting to be from Apple, send it to, a monitored email inbox, which does not generate individual email replies.

Forwarding the message with complete header information provides Apple with important information. To do this in OS X Mail, select the message and choose Forward As Attachment from the Message menu.


    1. By enslaving a bunch of smart innocent people to work on such project instead of being productive and winning a bread. The people of Iran are not he same as the invaders ruling that country.

    2. To be fair, Iran has IT security forces for many years, and as oil/gas rich country, it was always financed well. Especially after the USA has used malware against their nuclear fuel program facilities.

      If you refer to the fact that Iran has got its own money back after it has agreed to be subjected to UN-supervised audit that confirms that its nuclear fuel program is not used for nuclear weapons, then it should not be an issue. That deal was a great success as it provides unique transparency. Trump’s Pentagon head Mattis supports it (even though Trump is against it).

            1. Not really. Iran’s troops are not in Mexico or Canada, they are not about to spill over to the USA in an invasion. In fact the last time Iran was attacking any country was like hundreds of years ago.

              This does not mean that the USA or any other major country would not be cautious, of course. This is why the UN has put some restrictions on Iran.

          1. you’re an idiot.

            iWill ad to botvirnnik by saying how ignorant you are of Iran. Iran is a duplicitous cesspool of a country. So, in closing you “TRUST” Iran’s leaders to keep their word? DErss, you are delusional.

            1. Countries should never trust each other. This is why the deal incorporates obligatory UN-mandated inspections to all of Irans facilities that even remotely connected to processing of anything that could be a nuclear material. The inspections are already ongoing, there are no issues so far.

  1. “The MacDownloader malware was designed to profile the victim’s computer, and then steal credentials by generating fake system login boxes and harvesting them from Apple’s password management system, Keychain.”

    Not sure how Keychain works but if it automatically fills in login info into dialog boxes I suppose those dialogs could be popped up, info ‘read’ and the dialog closed before the user even realizes what happened. Then followed up by some kind of user interaction (e.g bug detected, please click to clean/diagnose) that would actually send the collected info to the hacker’s server.

    1. The Trojanware would have to fool the user into providing the Administrator password, if they even know it. (One great reason to keep average Mac users in ‘Standard’ client accounts with no Admin access).

      Once the Trojan has the Admin password, it can unlock Keychain and scour through its database of user IDs and passwords then send the hoard on to wherever.

      Of course, this is yet another great reason to have a ‘reverse firewall’ installed, such as Little Snitch, Hands Off, Net Barrier…. When the Trojan attempts to phone home, you’ll notice and can kill the process.

      1. That sentence gives me the impression that it doesn’t directly access Keychain but relies on the ‘autofill’ function that could possibly fill in the fake login boxes which the malware generates to gather info.

  2. History books record that the CIA overthrew Iran’s democratically elected Mosadeh, replacing him with the very unpopular Shah Rezah Pahlavi who put on some royal garb and medals and began to oppress anyone who wanted to use a democratic form of government. Two years ago, Jefferey Sterling blew the whistle on the US governments attempt to give Iran faulty nuke blueprints which were “…botched and that the Iranians learned the blueprints were flawed; the Iranians might have gained nuclear insights from the accurate parts.”

    Just two examples of why Iran may be f•cking with the US.

    1. The US has had a long and sorry relationship with Iran. The 1953 CIA sponsored coup was sold as a strategic move against Soviet expansionism. But it was really about the narrow interests of UK and US oil companies when the Iranian government moved to nationalize western oil company assets within its boarders. This tactical success became a strategic blunder while the US looked the other way as the Shah’s brutal repression of dissent soured the Iranian people on his rule.

      When the 1979 revolution came the US was the perfect scapegoat that allowed the Mullahs to install their own autocratic rule and blame the US for all Iran’s ills, wether they were actually caused by external forces or self-inflicted. Since the revolution it’s been tit for tat between the two nations with very little good emerging. But these days most of Iran’s iIls are of the self-inflicted variety.

      I have known a good number of Iranians who fled the revolution and they have all been good people. Let’s keep in mind that the Iranian people are not our enemy, even though they have a really shitty government.

      It’s the Saudis that I am much more concerned about.

      1. The US government has been played as a puppet to both Corporatocracy and the interests of Israel. Both are in blatant evidence in the chaos the USA has created in the Middle East. Meanwhile, the carbon fuel parasites and the Zionists love it and happily encourage my government to continue its induction of chaos. Pull the strings…

        It’s no wonder some Arab countries hate the USA. But what’s extra sad and amusing is that the USA has simply been the dupe of the real architects of middle eastern chaos.

        I’m making this statement as something to think about. I won’t be debating about it.

        1. I’m with you on the Israeli problem. We’ve been dragged into that mess by an odd coalition of hard core Zionist Jewish and fundamentalist Christian leaders with obtuse biblical motivations in support of continued settlements in the West Bank. These people have NO interest in a just peace with the Arabs. And here we are, giving them a wink and a nod on the settlements. Oh, and don’t forget the billions of public and private $$$ we sent to Israel each year. It’s no way to run a foreign policy.

          This is going to be politically incorrect so the “sensitives” on this site should cover their eyes. They’ll deny it but the Israeli Jews are one and the same as the Arabs they live side by side with. By history and by blood they are the same people!!! Which explains a lot about why the region is so screwed up. It’s not a fight the US should have any part in. If Trump is true to his “America First” motto (which I really don’t support FYI), he should move to disentangle this country from the whackier parts of the Middle East.

          Do not mistake me for being anti-Semitic. I just tire of this country being used as a pawn by those who do not have our best interests at heart.

  3. I have come across Macdownloader before…sometime within the past year so I doubt that it is unique to this website. I regularly look for malware on every Mac I work on now. Over the past year I estimate 80% of my client’s Macs had some sort of malware on them…adware mostly but also PUPs i.e. MacKeeper.

      1. Even better question, do you realise Saudi Arabia is the greatest exporter of terrorism and medieval extremist brand of Islam in the world yet Trump allows their citizens unfettered access to the US? Is Trump an enemy of the US?

        1. Sixteen years after 9/11 the Saudi government continues to print textbooks inciting hatred and violence against Christians, Jews and other non-Sunni Muslim believers such as the Shiites of Iran. Young school children are taught that Shiites are traitors to the “true” faith and deserve instant death, while Jews and Christians deserve to be offered the chance to convert first or be put to death. School children in Saudi Arabia are never taught critical thinking skills nor are they encouraged to inquire about alternate points of view. Saudi religious leaders continue to spread spiritual and intellectual poison throughout the world.

          Most of the princes may be moderated by western influence, but their tolerance for Wahhabism can no longer be ignored. It’s time they be made to choose where they stand. If Trump is serious about combatting external threats there’s no better place to start than the KSA.

          Apple would do well to keep their business ties at arms length in that place.

  4. It should come as no surprise that after the Stuxnet computer virus was created by Apple’s home nation to destroy nuclear centrifuges in Iran that the Iranians would try to defend themselves.

    It’s going to get ugly, real ugly.

  5. Trump need not worry- he is a Fandroid/Windows guy.
    Making Amurrikah Crater Again.

    As to Phishing. Don’t click on bullshit. Use your brain for something other than a hat rack. Do not give out your info to people you do not know or trust.

  6. “Just because you’re using a Mac doesn’t mean you’re safe from hackers,” Michael Kan reports for IDG News Service.

    Oh really. I love it when snotty people make such statements like they’re saying something brilliant to the clueless. YES Mr. Kan. We know that already. DUH.

    But Macs obviously aren’t the problem here at all. This is PHISHING, which means WETWARE is the target. Trojan horse malware is the payload.

    We ARE the weakest link. Don’t be socially engineered.

    1. It turns out that there are TWO Mac malware in the wild. They’re being confused as one at the moment by certain, ahem, tech journalists. One Trojan is “MacDownloader”. But the second Trojan has not yet been formally named. I’m temporarily calling it ‘Son-Of-EmPyre’:

      Dan Goodin (personal hero) at Ars Technica has a more detailed description of what’s going on:

      Mac malware is still crude, but it’s slowly catching up to its Windows rivals
      A tale of two attacks that both target MacOS users.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.