Mac malware stats - June 2017

According to statistics released by Symantec today, the second most widespread Mac malware today is a cryptocurrency miner called DevilRobber, which saw a huge spike in activity last month.

DevilRobber took up only 2.4% of all the Mac malware detections in May 2017, but last month grew nine times its size to a whopping 21.6% of all detections, ranking second on Symantec's list of most active Mac malware, behind RSPlug, a DNS changer used in various adware campaigns.

DevilRobber — blast from the past!

This particular piece of malware is detected under different names, such as DevilRobber (Intego and F-Secure), Miner-D (Sophos), and OSX.Coinbitminer (Symantec).

The malware was first discovered by Intego researchers in October 2011 and was later spotted by F-Secure and Sophos a few days later, making a huge splash on the Mac scene, being one of the first major Mac malware outbreaks at the time.

The malware spread via tainted Mac apps uploaded on torrent sites, and it was so widespread at the time that Apple had to issue emergency updates to limit its impact.

New versions were spotted in the subsequent months [1, 2], and its authors continued to develop it, but they never reached the same infection success rate as during their October and November 2011 runs.

DevilRobber worked by using a Mac computer's GPU card to mine for Bitcoin, while also stealing Bitcoin wallet files from infected hosts.

Since 2011, Bitcoin mining has become a highly ineffective operation when performed on regular computers. In recent years, we've seen cryptocurrency miners move to newer currencies such as Ethereum or Monero, where mining operations yield better results. It is plausible that the recent spike in DevilRobber activity may be attributed to a new version of the malware that mines for these latter cryptocurrencies instead of Bitcoin, both who are also experiencing huge price spikes.

Spam levels up, RIG EK down

Besides the spike in DevilRobber activity, the Symantec June Intelligence Report also noted a huge spike in global spam levels. According to Symantec, last month, spam emails reached 54.3% of the Internet's entire email volume, which was this year's highest spam level value, the highest since November 2016.

Another activity spike was also detected in the number of active phishing campaigns. According to Symantec, one in every 1,975 emails was a phishing email, the second-highest monthly rate seen in the last year.

Last but not least, Symantec also confirmed a decline in the activity of the RIG Exploit Kit, a topic we explored in more depth in an article last month.