The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft\u2019s long-standing success in business computing.<\/p>\n
For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications. <\/p>\n
Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.<\/p>\n
But new information last year revealed that could all be changing.<\/p>\n
Mac malware tactics shifted in 2023<\/strong><\/h2>\nApple\u2019s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.<\/p>\n
Already, the cybercriminals have taken note.<\/p>\n
In April 2023, the most successful and dangerous ransomware in the world\u2014LockBit\u2014was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year<\/a>, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice<\/a>, brought in more than $120 million before being disrupted by a coordinated law enforcement effort<\/a> in February of this year.<\/p>\nWhile the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was \u201cactively being developed.\u201d Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with \u201cavoiding prison.\u201d<\/p>\n
Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign<\/a> that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through \u201cmalvertising<\/a>,\u201d a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that\u2014though they may appear legitimate\u2014fool people into downloading malware.<\/p>\nIn this campaign, when users searched on Google for the financial marketing trading app \u201cTradingView,\u201d they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.<\/p>\n
But users who clicked the Mac download button instead received AMOS.<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/TradingView.webp\")
This malvertising site mimics TradingView to fool users into downloading malware for different operating systems.<\/figcaption><\/figure>\nJust months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.<\/p>\n
In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as \u201cClearFake.\u201d The ClearFake campaign tricks users into believing they\u2019re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome\u2019s branding and update language, but the more recent campaign imitated the default browser on Mac devices\u2014Safari.<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Safari.webp\")
A template is used that mimics the official Apple websites and webpages to convince users into downloading a Safari “update” that instead contains malware.<\/figcaption><\/figure>\nAs Malwarebytes Labs wrote at the time<\/a>:<\/p>\n\n\u201cThis may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.\u201d<\/p>\n<\/blockquote>\n
Replace \u201cmagic\u201d with Malwarebytes<\/strong><\/h2>\nCyberthreats on Mac aren\u2019t non-existent, they\u2019re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.<\/p>\n
Malwarebytes Premium detects and blocks the most common infostealers that target Macs\u2014including AMOS\u2014along with annoying browser hijackers and adware threats such as Genieo<\/a>, Vsearch<\/a>, Crossrider<\/a>, and more. Stay protected, proactively, with Malwarebytes Premium for Mac<\/a>. <\/p>\n
\nWe don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n
While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was \u201cactively being developed.\u201d Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with \u201cavoiding prison.\u201d<\/p>\n
Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign<\/a> that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through \u201cmalvertising<\/a>,\u201d a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that\u2014though they may appear legitimate\u2014fool people into downloading malware.<\/p>\n In this campaign, when users searched on Google for the financial marketing trading app \u201cTradingView,\u201d they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.<\/p>\n But users who clicked the Mac download button instead received AMOS.<\/p>\n Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.<\/p>\n In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as \u201cClearFake.\u201d The ClearFake campaign tricks users into believing they\u2019re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome\u2019s branding and update language, but the more recent campaign imitated the default browser on Mac devices\u2014Safari.<\/p>\n As Malwarebytes Labs wrote at the time<\/a>:<\/p>\n \u201cThis may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.\u201d<\/p>\n<\/blockquote>\n Cyberthreats on Mac aren\u2019t non-existent, they\u2019re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.<\/p>\n Malwarebytes Premium detects and blocks the most common infostealers that target Macs\u2014including AMOS\u2014along with annoying browser hijackers and adware threats such as Genieo<\/a>, Vsearch<\/a>, Crossrider<\/a>, and more. Stay protected, proactively, with Malwarebytes Premium for Mac<\/a>. <\/p>\n We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n\n
Replace \u201cmagic\u201d with Malwarebytes<\/strong><\/h2>\n
\n