A macOS malware agent, named MacDownloader, was observed “in the wild” as targeting the defense industrial base, and reported elsewhere to have been used against an human rights advocate, according to Iran Threats, a website run by Claudio Guarnieri and Collin Anderson that analyzes online threats from Iran.
MacDownloader attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of macOS keychain databases. Its main purpose seems to be to perform an initial profiling of the infected system and collection of credentials from macOS’s Keychain password manager
“Based on observations on infrastructure, and the state of the code, we believe these incidents represent the first attempts to deploy the agent, and features such as persistence do not appear to work,” says Iran Threats. “Instead, MacDownloader is a simple exfiltration agent, with broader ambitions.”