Although all the features of Tarmac are not yet known, what is known is that it is malware targeting MacOS computers and is being distributed through malicious advertising on web pages. The malicious ads send potential victims to websites urging software updates. What appears on the sites often appear to be Flash Player updates, but when people attempt to install them, they are actually downloading the OSX/Shlayer malware, which then installs the OSX/Tarmac malware. Researchers at the advertising security Confiant firm revealed details of both Tarmac and Shlayer malware that targets MacOS. The malware scans the infected machine for information, relays the victim’s information back to its command and control server, and then waits for other instructions. The malware avoids detection because it is digitally signed with real Apple developer certificates. The campaign was discovered back in January, but at the time of discovery, only the Shlayer portion was found. The versions of Tarmac that were found recently were old and their servers may have been moved or shut down. Because of this, all of Tarmac’s potential capabilities were not able to be determined. Known target locations for this campaign are Italy, Japan, and the US. “We think actors proceed by trial and error, and they might have found a sweet spot in Italy, between the profit they can reap and the level of attention from the security community,” stated Tara Kahim, a researcher at Confiant.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for