Skip to main content

Macs Targeted by Tarmac Malware: What to Do

(Image credit: Tom's Guide)

There's a new piece of Mac malware out there, but exactly what it does and why it does it are a bit of a mystery.

Dubbed Tarmac by its finders at New York ad-integrity firm Confiant, the malware is actually a companion to Shlayer, a prolific piece of Mac malware discovered and disclosed by Confiant earlier this year. 

Both pieces of malware are distributed by malicious online ads that lure Mac users into downloading and installing bogus Adobe Flash Player software as the first step in a multilayered infection process. 

Hidden inside that bogus Adobe software is Shlayer, a "downloader" whose job it is to first establish a beachhead on a system and then download more malicious software.

The problem was that when Confiant discovered Shlayer this past winter, they didn't know what Shlayer's "second stage" was. Now they do: It's Tarmac, which analyzes the infected machine's hardware configuration and tries to upload the information to a command-and-control server.

The bad news is that Shlayer and Tarmac are still being distributed by malicious ads, or "malvertising." The good news is that Tarmac's command-and-control servers are offline, so the malware doesn't do anything but reconnaissance right now. 

That's a bit frustrating for the Confiant researchers, who don't know what Tarmac's next step would be. Odds are that Tarmac, Shlayer or both would normally get new instructions tailored to the infected machine's hardware, and they may do so again if the command-and-control servers ever spin back up.

Speaking to ZDNet, Confiant's Taha Karim said that Tarmac seemed designed to target Mac users in Italy, Japan and the United States. 

So far, that's about all we know, other than that Tarmac is digitally "signed" with a legitimate Apple developer certificate (which anyone can get from Apple for $99), so that it can sail right past macOS's built-in protections, Gatekeeper and XProtect. 

However, it won't sail past a couple of dozen antivirus brands whose detection engines already recognize Tarmac's various permutations on sight. So make sure your Mac is running one of the best Mac antivirus software programs.