TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Say Hello to Mac Malware

2025-04-22 · Read original ↗

ATT&CK techniques detected

11 predictions
T1548.006TCC Manipulation
99%
“##ware using cron jobs via adloads as a way of persistence. we ’ re also seeing malware authors target apps or services that users regularly launch ( such as replacing the dock icon with their own malware ). while this won ’ t automatically run on reboot ( and therefore isn ’ t a…”
T1548.006TCC Manipulation
99%
“##point is showing them. there are also many ways for threat actors to get around tcc, as we ’ ve seen through the many disclosures of macos vulnerabilities in apple ’ s security updates. xcsset, which is macos malware that was uncovered a few years ago and has various capabiliti…”
T1548.006TCC Manipulation
98%
“then given consent to carry out that action via system preferences. tcc is a good idea from a security perspective, but its design and implementation has led to several ui impacts. end users are often inundated with security alerts tied to various permissions, even for security t…”
T1553.001Gatekeeper Bypass
98%
“or through the “ open anyway ” option in system settings in order to execute potentially malicious applications. threat actors behind macos malware like the shlayer adware dropper have used this weakness in their attacks. however, more recently apple has tweaked gatekeeper ’ s fu…”
T1548.006TCC Manipulation
93%
“( via the es _ event _ type _ notify _ tcc _ modify identifier ), giving third - party security tools better visibility into tcc permissions that have been modified or changed. these events are currently reactive, meaning that notifications happen after they occur, but the more p…”
T1548.006TCC Manipulation
82%
“details about macos malware trends and to better understand the impacts of apple ’ s new tcc events support in endpoint security, watch the full version of our april tradecraft tuesday episode!”
T1548.006TCC Manipulation
82%
“is difficult, especially because as researchers write new detections, we inherently start to see more. however, we do see some overarching trends that are indicative of how more threat actors are targeting macos platforms overall. for example, threat actors in some cases are port…”
T1543.001Launch Agent
79%
“are responding to these measures by attempting to bypass them. below are some of the key takeaways from the episode. malware persistence on macos... well, persists malware authors continue to employ persistence mechanisms for macos, but those techniques have sometimes changed ove…”
T1053.003Cron
74%
“, persistence provides a good detection mechanism for malware, because unlike initial access vectors — which vary widely from vulnerability exploitation to compromised credentials - there are a more limited number of persistence methods available. apple has specifically tracked p…”
T1543.004Launch Daemon
69%
“are responding to these measures by attempting to bypass them. below are some of the key takeaways from the episode. malware persistence on macos... well, persists malware authors continue to employ persistence mechanisms for macos, but those techniques have sometimes changed ove…”
T1059.002AppleScript
55%
“is difficult, especially because as researchers write new detections, we inherently start to see more. however, we do see some overarching trends that are indicative of how more threat actors are targeting macos platforms overall. for example, threat actors in some cases are port…”

Summary

In this month’s Tradecraft Tuesday, we talked about how threat actors are finetuning their macOS malware in order to maintain persistent access and avoid detection by Apple’s security features.