Hackers Target Iranian Activists’ Mac Devices With Revamped Malware · Global Voices
Center for Human Rights in Iran

Suspected state-sponsored Iranian hackers targeting civil human rights users have a new virus targeting Apple computers. Image from Flickr, used under Creative Commons.
This report was first published on the International Campaign for Human Rights in Iran website.
Until recently, Iranian civil and human rights-focused users of the Windows and Android operating systems were the people most vulnerable to hacking attacks that most likely came from the Iranian government. But these types have attacks now have begun to affect Apple users, using malware (software that damages or disables computer systems) that targets users’ Apple devices, according to a new report by Iran Internet researcher Collin Anderson and security researcher Claudio Guarnieri.
Anderson, who co-runs the Iran Threats website, told the Campaign that the hackers are targeting the computers of civil rights activists with a revamped version of the MacDownloader malware, which was previously used to target industrial infrastructures. MacDownloader was designed to steal victims’ computer passwords by luring them to a fake prompt box that invites account holders to provide or reset their passwords.
A statement issued by Iran Threats on February 6, 2017 detailed the process:
A macOS malware agent, named MacDownloader, was observed in the wild as targeting the defense industrial base, and reported elsewhere to have been used against a human rights advocate. MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases. Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work. Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.
After hackers gain the OSX Keychain information, they can potentially copy passwords for other tools such as email, websites, software and hardware and access virtually all the information stored by users on their computers and online.
“My fear is that many people switched to Mac (Apple) because they were concerned about malware and security issues (thinking Mac would better protect them), but doing this alone does not solve the issue,” Anderson, who is based in Washington, DC, told the International Campaign for Human Rights in Iran. “So this is why this report is serious: it’s informing Mac users that they still have to be vigilant.”
Internet and social media apps are heavily restricted and censored in Iran, with hardliners in the government viewing any form of Internet freedom as a threat to the sanctity of the Islamic Republic. Research has shown that Iranian hackers, often directed by hardliners within the country’s government, periodically launch hacking campaigns against civil and human rights activists and organizations to disrupt or intimidate them into ceasing their peaceful activism.
Anderson tells us:
There’s no simple remedy, and the best protection is to be skeptical about the software that one downloads, and to be cautious about the emails they receive. As we show in the report, antivirus software typically relies on having detected a piece of malware before flagging it as malicious….Since the Iranian attacks are targeting a small population (rights activists), the detection rate by those products is low. Antivirus is not sufficient in protecting against targeted attacks.