Apple devices are on the frontline of an increasing wave of cyberattacks. Mac users, who sometimes still assume their devices to be immune to malware, are being caught off guard by cybercriminals and their diverse modern hacking techniques.
To give Mac users an idea of what’s coming in 2024 and help them be informed and prepared, we asked cybersecurity experts to share their predictions for the macOS security landscape this year.
1. Mac malware will continue to rise in 2024
If looking back on 2023 paints a realistic picture of 2024, then unfortunately, things do not look good for Mac users when it comes to malware. In his report on Mac malware in 2023, Patrick Wardle, founder of Objective-See, concluded that the number of new macOS malware specimens increased by about 100% last year.
Moonlock reached out to Wardle to get his predictions for the new year.
“I’ve found that looking to the past is the best way to make reliable predictions for the future,” Wardle told us.
Wardle said that two main trends that emerged in 2023 and will prevail in 2024 are Mac stealers and ransomware gangs. His investigation reveals that companies are using Mac devices more than ever, with usage in enterprises expected to increase by 20% throughout 2024 and reach full dominance in 2030.
We also talked to our own Moonlock Lab security researchers, who gave us detailed insights into the Mac security trends and malware they expect to dominate in 2024. They explained that the growth in the Mac global digital attack landscape is spilling into cybersecurity.
“This surge in Mac adoption is reflected in the realm of cybersecurity, where macOS malware is on a similar upward trajectory,” Moonlock Lab experts said. “In the past year alone, new instances of macOS malware have doubled, underscoring a growing and more sophisticated threat landscape.”
2. Mac stealers will keep accelerating
Wardle told Moonlock that 2024 will likely see macOS stealers continue to flourish. Wardle explained that this trend only emerged last year.
“Such malware is solely focused on collecting and stealing sensitive information from victims’ machines, such as cookies, passwords, certificates, cryptocurrency wallets, and more,” Wardle said.
Moonlock Lab researchers added that Mac stealers are primarily targeting data that is not safeguarded by macOS’s transparency, consent, and control (TCC) framework.
What data are Mac stealers after?
Under the macOS’s TCC, Apple provides a crucial privacy and security framework to protect users’ data, granting or denying applications access to sensitive user data and features without explicit permission. However, a lot of data isn’t safeguarded under Apple’s TCC. This includes browser data like history and cookies, which stealers often target. Additionally, other data, such as specific API data, system-wide data, app data, and third-party sources, are not covered by the TCC.
“These (stealer) malware types are particularly adept at extracting sensitive information from applications based on Chromium and Gecko engines, including popular browsers and cryptocurrency wallets,” Moonlock Lab said.
Stealers for sale on the dark web and their social engineering tricks
Mac stealer malware is also a popular trend in the underground cybercriminal world. Here, cyber gangs develop and rent out stealers under malware-as-a-service models. These ready-to-use malware are designed to be zero-code and user-friendly. This reduces the barrier to entry by lowering the technical bar that bad actors need to reach in order to launch stealer attacks.
But Mac stealers aren’t just proliferating thanks to malicious developers. To breach devices, stealers still depend on some form of social engineering. In other words, hackers must trick users into downloading and installing the stealer on their Macs.
“A key strategy in their proliferation involves leveraging trending topics, such as AI chat applications and cracked versions of popular software, to entice users,” Moonlock Lab experts said. “This approach often includes an element of social engineering, manipulating users into executing actions that inadvertently bypass the built-in security mechanisms of macOS.”
3. Adware and PUAs will do more than just annoy users
For average users, adware and PUAs may seem more annoying than harmless. However, they pose serious security risks for Apple users. Adware can track browsing habits and collect sensitive information — such as credit card numbers or login credentials — while PUAs can install other unwanted software, including malware, that can damage files or steal data.
“Adware and PUAs have historically been issues for macOS users, with unwanted software causing disruptions and privacy concerns,” Moonlock Lab researchers said. “As we transition into the new year, our ongoing observations already indicate a significant number of detections related to Adware on our users’ devices.”
The researchers added that 2024 might see new adware and PUA variants, as well as new distribution methods. This would inevitably lead to an increase in the prevalence of such unwanted programs.
4. Cybercriminals will level up the weaponization of new software
As developers release new software and apps and operating systems are updated, zero-day exploits become more common. According to the 0-Day tracking project, Apple leads the list of top vendors affected by zero-day exploits between 2006 and 2024, followed closely by Google, Microsoft, Adobe, CISCO, and others.
But Mac users don’t just have to worry about zero-day Apple vulnerabilities.
“Many macOS users have numerous third-party applications on their Macs,” Moonlock Lab experts said, “with some unaware of the data these applications collect and their specific functionalities.”
The rise of zero-day exploits affecting third-party software each month has given way to a new notable trend: supply chain attacks. Moonlock Lab explained that cybercriminals are “weaponizing existing software” to take advantage of this scenario. They will scan for weaknesses and gateways in newly released software and exploit these vulnerabilities. The consequences can be severe.
“The 3CX case from last year serves as a prime example of this trend, highlighting the risks associated with exploiting weaknesses in widely used third-party applications for malicious purposes.”
5. Crypto-related malware is just getting started
Blockchain, crypto, and the decentralization of global economies have endless economic benefits for users. It’s a trend that is expected to grow in 2024. Cryptocurrencies remove financial access barriers, power almost-instant transactions, and are becoming more popular every day. Naturally, cybercriminals motivated by financial gain see the crypto arena as the perfect straight-to-money hack opportunity.
Moonlock Lab experts predict that in 2024, the macOS ecosystem may encounter a notable escalation in crypto-related malware.
“Cryptocurrency Wallet Snatchers discreetly compromise digital wallets, surreptitiously extracting valuable digital assets,” Moonlock Lab experts explained.
Additionally, cybercriminals are breaching and taking control of Mac systems to create massive botnets of infected computers to mine crypto. These types of attacks are carried out using crypto-mining malware. Moonlock Lab experts said these will be relevant in 2024.
Another type of crypto malware that Moonlock Lab experts highlighted for the coming year is the blockchain bypasser. This is a type of advanced malware designed to manipulate the blockchain, enabling the rerouting of transactions and redirection of funds, ultimately placing users’ cryptocurrency holdings under the control of malicious actors.
North Korea will dominate crypto heists
If there’s one nation-state hacker supporter that loves crypto-malware attacks, it’s North Korea.
“By the end of 2023, we had already observed a notable increase in the activity of North Korean APTs targeting macOS users and their cryptocurrency holdings,” Moonlock Lab researchers said. “This observation is proven by a comprehensive report from Jamf Threat Labs, which outlines the tactics of the BlueNoroff hacking group.”
By the end of 2023, we had already observed a notable increase in the activity of North Korean APTs targeting macOS users and their cryptocurrency holdings.
Moonlock Lab
BlueNoroff is considered an advanced persistent threat (APT) and has been identified as a subgroup of the Lazarus Group run by the government of North Korea. Additionally, there are a great number of other criminal groups linked to North Korea targeting the blockchain and crypto industry, operating under a wide number of different aliases.
International cybersecurity and foreign policy experts believe North Korea’s malicious actions in the crypto world have the specific goal of funding weapons and government programs, limited under international sanctions.
“This specific APT has demonstrated a deliberate focus on targeting cryptocurrency exchanges, venture capital firms, and banks,” Moonlock Lab experts explained. “Additionally, at the beginning of the year, there was an attack on the Mandiant X official account. In this incident, malicious actors used a CLINKSINK drainer to steal money and tokens from users of the Solana (SOL) cryptocurrency.”
While the Mandiant attack didn’t specifically target macOS users, Moonlock Lab experts believe that the chances of similar incidents happening in 2024 are high.
They added that users should also be aware and on the lookout for drainers — harmful scripts and smart contracts that attackers use to take funds and digital assets directly from victims’ crypto wallets.
6. AI will be heavily used by cybercriminals
No one would argue that AI was the one technology that stole the show in 2023, igniting a frenzy of speculation and investment like no other. 2024 promises to take AI even further. However, large language models (LLM) have proven to be just as dangerous as they can be beneficial. AI is already being used by criminals in phishing attacks, malware development, attack automation, biometric hacking, and deep-fake attacks.
Moonlock Lab malware researchers said that in 2024, macOS users will surely encounter AI-related threats. They add that AI malware poses unique threats, as it can dynamically adapt its behavior to evade traditional security measures.
“Additionally, AI-enhanced phishing attacks may become more convincing and targeted, leveraging algorithms to analyze user behavior for personalized messages,” Moonlock Lab added.
AI-enhanced phishing attacks may become more convincing and targeted, leveraging algorithms to analyze user behavior for personalized messages.
Moonlock Lab
Moonlock Lab experts are also concerned about the proliferation of AI-generated deep-fake content and the risk it poses to user identity and privacy, identity theft, and misinformation campaigns.
“AI-driven social engineering could involve mimicking user behavior on social media platforms to manipulate or impersonate individuals,” they said.
7. Bad actors will continue to abuse ad platforms for malvertising
Malvertising, once considered annoying but mostly harmless, has emerged as one of the top vectors of attack. By finding ways to bypass Google Ads and other online advertiser policies, cybercriminals can bombard the online world with fake and misleading ads. Some of these redirect users to fake websites for phishing or malicious pages that mimic legitimate, well-known tech brands and software.
For example, on January 8, 2024, Malwarebytes identified a malvertising campaign that used tactics similar to those seen in the distribution of FakeBat. This campaign targeted Mac users, delivering the updated version of Atomic Stealer.
“Continuing from the trends observed in the previous year, malvertising remains a persistent threat,” Moonlock Lab said. “Threat actors are employing deceptive techniques, such as impersonating popular tools like Slack through Google search ads, redirecting victims to decoy websites for downloading malicious applications on both Windows and Mac systems.”
8. Criminals will master SEO to poison the wells of search engines
In their efforts to lure potential victims into their malicious sites, malware, and cyber traps, cybercriminals have also become search engine optimization (SEO) experts.
SEO experts are heavily employed by the media, marketing, advertising, and content industry. When SEO experts do their jobs correctly, the website they have optimized will rank among the top results of a search engine query.
Positioning websites in the top results requires deep knowledge of top search engine algorithms and policies. It’s no easy feat. But cybercriminals are mastering this technique, resulting in a trend called SEO poisoning.
Like malvertising, SEO poisoning demands a strong response from companies like Google, Bing, Mozilla, and other search engines and online advertising platforms, as their own security standards are being manipulated to harm users and organizations around the world.
“Scammers are employing sophisticated techniques to duplicate legitimate websites or apps using counterfeit domains,” Moonlock Lab researchers said. “These fraudulent domains often present a false veneer of legitimacy through the use of digital certificates, making it challenging for users to recognize the malicious intent.”
9. Quishing and deep fakes to surge in 2024
Another emerging threat is the surge in deep fakes.
“Notably, we have witnessed instances on platforms like YouTube featuring deep fakes of prominent figures, such as the CEO of Solana cryptocurrency, Anatoly Yakovenko,” Moonlock Lab experts said.
“In a recent deceptive video, Yakovenko announced a historic day for Solana, including a fraudulent giveaway via a QR code,” they added. “This new method, known as “quishing” (a combination of QR and phishing), is expected to become more popular among cybercriminals as the use of QR codes becomes increasingly widespread.”
10. Social engineering attacks will come from everywhere
Social engineering, the art of deceiving users into taking an action that kickstarts an attack, is expected to be multifaceted in 2024.
“Cybercriminals leveraging AI tools may adeptly mimic official Apple communications through deceptive websites, emails, and messages, including phishing pages emulating Apple login screens,” Moonlock Lab researchers warned. “Fake security alerts, often in pop-up messages or emails, exploit user fears, coercing clicks on malicious links or downloads disguised as security software.”
Moonlock Lab added that in 2024, threat actors may also attempt to trick users by impersonating Apple’s authentic software update notifications and tricking users into installing fake updates.
“Within the development of AI, social engineering on macOS will involve the manipulation of legitimate apps or the creation of fraudulent ones, injecting malicious code for data theft or payload delivery like banking Trojans or infostealers,” Moonlock Lab experts explained. “Capitalizing on Apple events, cybercriminals may craft convincing lures in phishing campaigns to prompt users into clicking on malicious links.”
The state of the global cybercriminal underworld in 2024
Undoubtedly, the biggest challenge that international law enforcement agencies, businesses, and organizations worldwide face in 2024 is the abundance of cybercriminal gangs operating with the support of nation-states. These bad actors are diversifying, improving their malware, and targeting new operating systems.
Wardle said that ransomware gangs in particular have set their eyes on macOS environments.
“In 2023, we saw the infamous LockBit group creating a variant of their insidious ransomware that was natively compatible with macOS,” Wardle explained. “This was the first time such a group had targeted macOS. And though their macOS ransomware sample was fairly basic and limited in terms of its impact and did not circumvent any of macOS native security mechanisms, I expect that in 2024 and beyond, such groups will continue to target macOS with ever more sophisticated ransomware threats.”
I expect that in 2024 and beyond, [cybercriminal] groups will continue to target macOS with ever more sophisticated ransomware threats.
Patrick Wardle, Objective-See
Will international law enforcement and security experts manage to reduce the number of attacks?
We asked Moonlock Lab experts if they believed the war against cybercrime would play out in favor of law enforcement agencies and cybersecurity experts.
“In reflection on the events of the previous year (2023), we observed the notable and commendable efforts by organizations like the FBI in disrupting cyber threats,” they said. “Operations such as the US Justice Department’s disruption of the prolific ALPHV/Blackcat ransomware variant, the multinational cyber takedown of Qakbot infrastructure, the successful dismantling of the IPStorm malware botnet, and the seizure of BreachForums, with the arrest of its owner, showcased the effectiveness of law enforcement in tackling cybercrime.”
“Despite these successes, it is evident that adversaries are continuously advancing their techniques, developing increasingly sophisticated tools to circumvent security measures,” Moonlock Lab added. “While we are hopeful that international cooperation will lead to improved cybersecurity measures, reducing the number of attacks may be challenging. As technology advances, cybercriminals find new ways to exploit vulnerabilities, making it a continuous cat-and-mouse game.”
The most active cybercriminal syndicates and groups
Regarding which groups will be the most active cybercriminal organizations in 2024, Moonlock Lab experts believe that several notorious groups have been the most active lately. These include ransomware operators like Lockbit and Turtle, as well as state-sponsored actors like APT groups originating from Russia, China, North Korea, and Iran.
“As for the emergence of new cybercriminal organizations, it’s unfortunately a plausible scenario,” the experts added. “The barrier to entry into cybercrime is becoming lower due to AI development, and the potential for financial gain or achieving geopolitical objectives attracts new actors.”
How can Mac users stay safe in 2024?
While 2024 promises to be a wild year for cybersecurity and the landscape may seem overwhelming, users can take steps to protect their data from the ever-evolving attacks.
We recommend adopting a proactive approach by taking the following measures:
- Enable automatic updates: Ensure that your macOS, applications, and security software are set to receive automatic updates. This helps patch vulnerabilities promptly.
- Use a reputable security suite: Employ a robust antivirus and antimalware solution specifically designed for macOS to provide an additional layer of defense against various threats.
- Be careful with emails: Be skeptical of unexpected emails, especially those containing links or attachments. Verify the sender’s authenticity before clicking on any links or downloading attachments.
- Exercise caution on social media: Be cautious about the information you share on social media, and avoid clicking on suspicious links or engaging in conversations with unfamiliar profiles.
- Be wary of pop-ups: Avoid clicking on pop-ups, especially those claiming to be urgent security alerts. Genuine alerts typically come from the system or security software, not through browser pop-ups.
- Keep third-party software updated: Regularly update third-party applications, plugins, and browser extensions to patch vulnerabilities and minimize the risk of exploitation.
- Verify website authenticity: Before entering sensitive information, double-check the authenticity of websites, especially when prompted by emails or messages.
- Educate yourself: Stay educated on common social engineering tactics, phishing techniques, and other cyber threats. Being aware of potential risks enhances your ability to recognize and avoid them.
By incorporating these practices into daily online activities, macOS users can significantly reduce the risk of falling victim to various cyber threats and enhance the overall security of their systems and personal information.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc.
