macOS Threats: Automate Mac Alert Triage with Intezer

Written by Avigayil Mechtinger

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    We are happy to announce that Intezer now supports scanning macOS files. 😁

    Intezer’s Autonomous SecOps solution automates security operations processes, including alert triage, incident response, and threat hunting. This release is an important step towards Intezer’s mission to automate all alerts that security teams need to handle, from whatever operating system you’re using. Now, you can automatically triage alerts coming from your Mac endpoints or emails that contain Mac file attachments, and get clear response recommendations from Intezer.

    Similar to Linux malware, there are very minimal reliable options for analyzing macOS threats. Using Intezer’s unique code reuse technology, we can automatically triage macOS files, processes and endpoints – providing you historical and contextual information that allows you to reduce false positives and better classify threats.  

    Mac alert context from Intezer
    Intezer’s investigation note on an alert in SentinelOne..

    Rotten Apples: Malware Targeting macOS

    Since the first documented macOS malware, “Oompa-Loompa” from 2006, different types of malware have been discovered targeting Mac endpoints. From adware and botnets to nation-state backdoors. Here are some examples:

    • Russian nation-state groups; Turla with Snake Turla and Sofacy (APT28) with Xagent
    • North Korea’s Lazarus with Dacls and Manuscrypt tools
    • IPStorm – botnet that abuses a legitimate Peer-to-peer (p2p) network
    • ElectroRAT – RAT designed to steal crypto wallets.
    • Sysjoker – backdoor, was discovered in early 2022.

    Interestingly, all of these malware examples have other versions that target other operating systems besides Mac.

    SysJoker malware sample Mac threat
    A SysJoker malware sample for Mac in Intezer Analyze.

    Interested to learn more about macOS malware and analysis tools? Check out the Objective-See foundation or The Art of Mac Malware book by Patrick Wardle.

    Start Triaging Mac Alerts with Intezer

    Our database already contains hundreds of thousands of malicious and trusted macOS code fragments (“genes”), and continues to expand. You can integrate your endpoint security solution with Intezer (currently supported for SentinelOne and CrowdStrike) to start automating your Mac endpoint alert triage. Just sign up for Intezer to give it a try.

    Want to see for yourself? You can try Intezer for free to see how it works, watch a 5 minute demo video, or reach out to our team to book a demo.

    Avigayil Mechtinger

    Avigayil is a product manager at Intezer, leading Intezer Analyze product lifecycle. Prior to this role, Avigayil was part of Intezer's research team and specialized in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt