Malware spotlight: Tarmac

Introduction

Many people wrongly believe that Mac computers are unable to get viruses. This belief is far from true. nVir, the first virus targeting Macintosh computers, appeared in 1987 and remained active until 1991. Although Macs are traditionally not friendly towards programs coming from unknown developers, they can still be affected by malware.

A new type of virus called Tarmac is currently spreading on Macs all over the world. It successfully passes a Mac’s built-in security measures, such as Xprotect (which does not allow malware to be opened) and Gatekeeper (which allows only the installation of software developed by certified developers). Macs are subject to fewer attacks than computers using Windows likely because criminals create more malware for Windows computers than for Macs.

This article examines Tarmac malware in detail and provides recommendations on how to avoid an infection with it.

What is the modus operandi of Tarmac malware?

Tarmac has been active since January 2019 and targeted mainly users in the United States, Japan, and Italy. It works together with another malware called Shlayer. Shlayer has been the most common malware threat for Mac for about two years. For example, in 2019, one out of ten Kaspersky security solutions for Mac encountered Shlayer.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Tarmac spreads itself through malicious ads. Once a potential victim clicks on one of those malicious ads, he or she will be requested to download a file purporting to contain a Flash player. Interestingly, the file contains a legitimate Apple developer certification. The certification allows the malicious file to pass through the security measures of the targeted Mac.

The certification is not difficult to obtain. Any Apple developer can obtain it for $99. Taha Karim, a security researcher at Confiant, writes: “Signing malware with Apple developer certificates, not only it is easy to do, but (Read more...)