Macs Targeted by Tarmac Malware: What to Do

(Image credit: Tom's Guide)

There's a new piece of Mac malware out there, but exactly what it does and why it does it are a bit of a mystery.

Dubbed Tarmac by its finders at New York ad-integrity firm Confiant, the malware is actually a companion to Shlayer, a prolific piece of Mac malware discovered and disclosed by Confiant earlier this year. 

Both pieces of malware are distributed by malicious online ads that lure Mac users into downloading and installing bogus Adobe Flash Player software as the first step in a multilayered infection process. 

Hidden inside that bogus Adobe software is Shlayer, a "downloader" whose job it is to first establish a beachhead on a system and then download more malicious software.

The problem was that when Confiant discovered Shlayer this past winter, they didn't know what Shlayer's "second stage" was. Now they do: It's Tarmac, which analyzes the infected machine's hardware configuration and tries to upload the information to a command-and-control server.

The bad news is that Shlayer and Tarmac are still being distributed by malicious ads, or "malvertising." The good news is that Tarmac's command-and-control servers are offline, so the malware doesn't do anything but reconnaissance right now. 

That's a bit frustrating for the Confiant researchers, who don't know what Tarmac's next step would be. Odds are that Tarmac, Shlayer or both would normally get new instructions tailored to the infected machine's hardware, and they may do so again if the command-and-control servers ever spin back up.

Speaking to ZDNet, Confiant's Taha Karim said that Tarmac seemed designed to target Mac users in Italy, Japan and the United States. 

So far, that's about all we know, other than that Tarmac is digitally "signed" with a legitimate Apple developer certificate (which anyone can get from Apple for $99), so that it can sail right past macOS's built-in protections, Gatekeeper and XProtect. 

However, it won't sail past a couple of dozen antivirus brands whose detection engines already recognize Tarmac's various permutations on sight. So make sure your Mac is running one of the best Mac antivirus software programs.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.