Skip to main content
MacDownloader virus removal from Mac OS X

MacDownloader virus removal from Mac OS X

Get a comprehensive report on MacDownloader, a Mac OS X virus designed to steal U.S. defense organizations’ secrets via an intricate social engineering tactic.

A group of threat actors, presumably from Iran, have recently launched a cybercrime campaign that zeroes in on individuals representing some of the largest defense organizations based in the United States. A sample of perpetrating code referred to as MacDownloader has been predominantly infecting Mac machines within these institutions. Security analysts investigating these sorts of felonies are accustomed to dealing with high-profile attacks reminiscent of the notorious Stuxnet worm incident back in 2010. In this case, though, things are a bit different, to put it mildly. The breach workflow appears somewhat primitive, which suggests that the adversary is either not professional enough or simply sloppy.

The MacDownloader attack commences with a would-be victim visiting a phishing web page masqueraded as a training course for interns working in the target organizations. The social engineering part revolves around an old-school technique where the user is unable to watch a video on the site. According to a deceptive alert that pops up, the problem has to do with out-of-date Adobe Flash Player. Then, another dialog appears, instructing the user to update the software immediately. At this point, simply clicking the Close button on the box will terminate the MacDownloader compromise. Otherwise, the rogue update will result in further brainwashing.

A new popup triggered if the user hits the Update Flash Player button is a notification that says, “Warning! Please Attention… An adware application found on your Mac OS (iWorm v0.681). This file will be clean in a few seconds.” Note that spelling errors and typos are literally everywhere on the malware’s dialogs. All in all, the detection of a worm that’s claimed to be adware is a huge giveaway. Indeed, why on earth would the genuine Adobe Flash Player report Mac infections? The most likely explanation of this apparent discrepancy is that MacDownloader must have been built as a rogue AV product, but the authors had to adapt its activity to absolutely new objectives and failed to do it properly.

If the OK button is clicked on the spoof adware detection window, the victim will be presented with a new screen that requests their username and password. This is the phishing part in its most explicit form. In the event the user ends up providing their administrative credentials, the MacDownloader virus will be able to access the system’s keychain data and harvest all passwords. It doesn’t take a rocket scientist to predict the ultimate upshot of such activity – the offending program will attempt to transmit the collected information to its Command and Control server. To add insult to injury, it is also capable of downloading arbitrary payloads from the C2 and executing them inside the host Mac OS X machine without authorization. It’s clear that MacDownloader removal should be on a victim’s agenda. The tips below will shed light on the malware cleanup process.

MacDownloader manual removal for Mac

The steps listed below will walk you through the removal of this application. Be sure to follow the instructions in the order specified.

• Open up the Utilities folder as shown below

• Locate the Activity Monitor icon on the screen and double-click on it

• Under Activity Monitor, find the entry for MacDownloader, select it and click Quit Process

• A dialog should pop up, asking if you are sure you would like to quit the MacDownloader executable. Select the Force Quit option

• Click the Go button again, but this time select Applications on the list. Find the entry for MacDownloader on the interface, right-click on it and select Move to Trash. If user password is required, enter it

• Now go to Apple Menu and pick the System Preferences option

• Select Accounts and click the Login Items button. Mac OS will come up with the list of the items that launch when the box is started up. Locate MacDownloader there and click on the “-“ button


Get rid of MacDownloader using Freshmac automatic removal tool

When confronted with malicious code like the MacDownloader, you can neutralize its toxic impact by leveraging a specially crafted system utility. The Freshmac application (read review) is a perfect match for this purpose as it delivers essential security features along with must-have modules for Mac optimization.

This tool cleans unneeded applications and persistent malware in one click. It also protects your privacy by eliminating tracking cookies, frees up disk space, and manages startup apps to decrease boot time. On top of that, it boasts 24/7 tech support. The following steps will walk you through automatic removal of the MacDownloader infection.

1. Download Freshmac installer onto your machine. Double-click the Freshmac.pkg file to trigger the installer window, select the destination disk and click Continue. The system will display a dialog asking for your password to authorize the setup. Type the password and click Install Software.

Download Now

2. Once the installation has been completed, Freshmac will automatically start a scan consisting of 5 steps. It scans cache, logs, unused languages, trash, and checks the Mac for privacy issues.

3. The scan report will then display your current system health status and the number of issues detected for each of the above categories. Click the Fix Safely button to remove junk files and address privacy issues spotted during the scan.

4. Check whether the MacDownloader has been fixed. If the lock screen is still there, go to the Uninstaller option on Freshmac GUI. Locate an entry that appears suspicious, select it and click Fix Safely button to force-uninstall the unwanted application.

5. Go to Temp and Startup Apps panes on the interface and have all redundant or suspicious items eliminated as well. The MacDownloader fraud shouldn’t be causing any further trouble.


Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in