img HowTosOSX

MacDownloader virus removal from Mac OS X

Get a comprehensive report on MacDownloader, a Mac OS X virus designed to steal U.S. defense organizations’ secrets via an intricate social engineering tactic.

A group of threat actors, presumably from Iran, have recently launched a cybercrime campaign that zeroes in on individuals representing some of the largest defense organizations based in the United States. A sample of perpetrating code referred to as MacDownloader has been predominantly infecting Mac machines within these institutions. Security analysts investigating these sorts of felonies are accustomed to dealing with high-profile attacks reminiscent of the notorious Stuxnet worm incident back in 2010. In this case, though, things are a bit different, to put it mildly. The breach workflow appears somewhat primitive, which suggests that the adversary is either not professional enough or simply sloppy.

Fake Adobe Flash Player update prompt by MacDownloader virus

The MacDownloader attack commences with a would-be victim visiting a phishing web page masqueraded as a training course for interns working in the target organizations. The social engineering part revolves around an old-school technique where the user is unable to watch a video on the site. According to a deceptive alert that pops up, the problem has to do with out-of-date Adobe Flash Player. Then, another dialog appears, instructing the user to update the software immediately. At this point, simply clicking the Close button on the box will terminate the MacDownloader compromise. Otherwise, the rogue update will result in further brainwashing.

MacDownloader displays a bogus adware detection warning

A new popup triggered if the user hits the Update Flash Player button is a notification that says, “Warning! Please Attention… An adware application found on your Mac OS (iWorm v0.681). This file will be clean in a few seconds.” Note that spelling errors and typos are literally everywhere on the malware’s dialogs. All in all, the detection of a worm that’s claimed to be adware is a huge giveaway. Indeed, why on earth would the genuine Adobe Flash Player report Mac infections? The most likely explanation of this apparent discrepancy is that MacDownloader must have been built as a rogue AV product, but the authors had to adapt its activity to absolutely new objectives and failed to do it properly.

MacDownloader tries to dupe a victim into providing their admin password

If the OK button is clicked on the spoof adware detection window, the victim will be presented with a new screen that requests their username and password. This is the phishing part in its most explicit form. In the event the user ends up providing their administrative credentials, the MacDownloader virus will be able to access the system’s keychain data and harvest all passwords. It doesn’t take a rocket scientist to predict the ultimate upshot of such activity – the offending program will attempt to transmit the collected information to its Command and Control server. To add insult to injury, it is also capable of downloading arbitrary payloads from the C2 and executing them inside the host Mac OS X machine without authorization. It’s clear that MacDownloader removal should be on a victim’s agenda. The tips below will shed light on the malware cleanup process.

MacDownloader manual removal for Mac

The steps listed below will walk you through the removal of this application. Be sure to follow the instructions in the order specified.

• Open up the Utilities folder as shown below

Open up the Utilities

• Locate the Activity Monitor icon on the screen and double-click on it

Locate the Activity Monitor

• Under Activity Monitor, find the entry for MacDownloader, select it and click Quit Process

Quit MacDownloader process

• A dialog should pop up, asking if you are sure you would like to quit the MacDownloader executable. Select the Force Quit option

• Click the Go button again, but this time select Applications on the list. Find the entry for MacDownloader on the interface, right-click on it and select Move to Trash. If user password is required, enter it

• Now go to Apple Menu and pick the System Preferences option

Pick the System Preferences

• Select Accounts and click the Login Items button. Mac OS will come up with the list of the items that launch when the box is started up. Locate MacDownloader there and click on the “-“ button

Remove MacDownloader from Login Items


Use automatic tool to completely remove MacDownloader from your Mac

1. Download and install MacKeeper application (read review). In addition to security features, this tool provides a vast arsenal of Mac optimization capabilities

Download MacKeeper

2. Get your Mac checked for malicious software by going to System Scan and starting the scan procedure

MacKeeper: Analysis

3. When the app comes up with a list of detected security issues, get those fixed by clicking the respective button. The MacDownloader virus should now be completely gone.