I've just taken delivery of my brand new MacBook Pro with the M4 Max chip. Whether you have just upgraded to the latest iteration or are taking advantage of the new release to grab a M3 bargain, there's one thing you should be doing: being alert to the MacBook Pro malware problem. No, seriously. Sorry, Apple users, but your MacBook, like my MacBook, isn't immune to the malware threat. There are 99 new reasons why you should take it as seriously as I do, in fact. Here's what you need to know about the MacBook Pro 2FA-bypassing infostealer problem.
I recently reported how MacBook users, regardless of chip, should beware as cybercriminals were deploying a new ransomware variant targeting them. Now threat intelligence experts at Mac security specialists Intego have warned that users are being targeted by 99 new variants of infostealer malware.
The Intego malware analysts have reported 99 "unique new samples of stealer malware," which suggests that threat actors are attempting to evade detection by spraying the attack surface as broadly as possible. This theory is validated by the fact that Intego's chief security analyst, Joshua Long, said, that even "relatively obscure browsers" were being targeted. The list is almost endless, and incorporates the usuals suspects of Google Chrome and Apple Safari, as well as Firefox, Arc, Brave, Microsoft Edge, Opera, Vivaldi and the likes of Mozilla Firefox-derived Pale Moon and Waterfox.
Long said that Intego's malware analysis team had recently come across 99 unique samples of Base64-encoded shell scripts. These all used an obfuscation technique to mix up three Base64-encoded strings which are then decoded and run as a command. That command is, actually, another bash script but this time one that contains AppleScript code to check for a mounted volume by the name of installer. If found, an executable app file is copied to the hidden/tmp folder on your MacBook Pro which is also named installer.
Three more commands are then executed if possible: one removes extended attributes from the file in an attempt to prevent the apple.quarantine attribute from running, another makes the file executable as an app from the command line, and finally, a third runs the malicious installer app.
The fake installer apps that the malicious script is looking for in order to copy and run are, Long warned, stealer malware "designed to gather and exfiltrate cryptocurrency wallets, browser cookies, Microsoft Word documents, and more."
Of most importance, in my humble opinion, are the browser cookies targeted by these malicious applications. These cookies, known as session cookies, can enable a hacker to gain access to the accounts you are already signed into without having to enter your credentials, including two-factor authentication protections, again. In other words, an attacker possessing a session cookie can bypass your 2FA account requirements.
"If you use Intego VirusBarrier," Long said, "you're already protected from this malware." Running this kind of macOS antivirus security software isn't an altogether daft idea, although you'd expect a vendor to recommend so to do, of course. Any additional layers of security you can erect between your MacBook Pro and attackers must be considered worthwhile.
However, that doesn't mean you necessarily need to spend money on an antivirus subscription. The primary mitigations against such a threat boil down to two things: awareness and staying alert to the threat. Now you know the threat exists, understand that the main method of infection is going to be a phishing campaign most commonly using email as the attack vector.
Such emails will attempt to get you to download a script or executable via clicking a link or opening a malicious attachment. Ultimately, an attacker will be looking for you to log into an account where the malware can intercept the process to capture the session cookie to use as a means of ongoing access to the targeted account. Passkeys can help mitigate such attacks by providing stronger protections against "automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication," according to a Google spokesperson. Chromium-based browsers will have built-in protections against malware such as app-bound encryption, device-bound session credentials and Google Chrome's safe browsing mechanisms. Apple has macOS keychain protection in place as well. At the end of the day, being careful what you click is the main defense, so bear that in mind as you unwrap your brand-new MacBook Pro.
I have reached out to Apple for any further advice for MacBook Pro owners.