Although all the features of Tarmac are not yet known, what is known is that it is malware targeting MacOS computers and is being distributed through malicious advertising on web pages. The malicious ads send potential victims to websites urging software updates. What appears on the sites often appear to be Flash Player updates, but when people attempt to install them, they are actually downloading the OSX/Shlayer malware, which then installs the OSX/Tarmac malware. Researchers at the advertising security Confiant firm revealed details of both Tarmac and Shlayer malware that targets MacOS. The malware scans the infected machine for information, relays the victim’s information back to its command and control server, and then waits for other instructions. The malware avoids detection because it is digitally signed with real Apple developer certificates. The campaign was discovered back in January, but at the time of discovery, only the Shlayer portion was found. The versions of Tarmac that were found recently were old and their servers may have been moved or shut down. Because of this, all of Tarmac’s potential capabilities were not able to be determined. Known target locations for this campaign are Italy, Japan, and the US. “We think actors proceed by trial and error, and they might have found a sweet spot in Italy, between the profit they can reap and the level of attention from the security community,” stated Tara Kahim, a researcher at Confiant.
Gatekeeper and XProtect won’t stop Tarmac payloads from being installed because it uses a legitimate Apple developer certificate. There are Anti-Virus products that identify Tarmac’s versions and can protect them before the malware is installed. Binary Defense analysts recommend a defense-in-depth strategy, which includes installing Anti-Virus software on all computers (including Windows and MacOS computers), keeping Anti-Virus signatures up to date, and continuously monitoring computers for telltale signs of intrusions, whether Anti-Virus has detected malware or not. The Binary Defense Security Operations Center (SOC) provides 24×7 monitoring capabilities for Windows, MacOS and Linux endpoints.