Security researchers have discovered a new and previously unknown macOS malware that exploits pirated software to infiltrate users’ systems.
The malware, distinct from unauthorized proxy server installations, proved highly sophisticated in its approach, according to a new advisory by Kaspersky.
Repackaging pre-cracked applications as PKG files, malicious actors embedded a Trojan proxy and a post-install script within apps circulating on pirating websites. This malware, targeting macOS Ventura 13.6 and newer versions, operated on both Intel processors and Apple silicon machines.
Named “Activator.app,” the malware displayed a seemingly unsophisticated GUI with a PATCH button. However, a closer inspection revealed a Python 3.9.6 installer and an extra Mach-O file named “tool” within the Resources folder. Activator utilized an obsolete function, AuthorizationExecuteWithPrivileges, to gain administrator privileges. This ultimately enabled the execution of a Python script that patched the downloaded app.
The malware’s second stage involved reaching out to a command-and-control (C2) server by making a DNS request for a TXT record containing an encrypted script. The decrypted script, executed by a tool, displayed capabilities such as killing NotificationCenter processes and installing launch agents for persistent execution.
Stage three of the malware revealed a backdoor that communicated with the C2 server, sending information about the infected system, installed applications and more. Kaspersky clarified that while the server did not issue commands during the investigation, it hinted at the ongoing development of the malware campaign.
Finally, stage four of the malware unveiled a crypto-stealing component, replacing legitimate cryptocurrency wallets with infected versions. The malware operators embedded malicious code in applications like Exodus and Bitcoin-Qt to steal users’ wallet information.
Read more on macOS malware: Potent Trojans Targeting MacOS Users
According to Sergey Puzan, a security researcher at Kaspersky, this discovery emphasizes the susceptibility of users who use cracked applications.
“Cybercriminals use pirated apps to easily access users’ computers and get admin privileges by asking them to enter the password. The creators show unusual creativity by hiding a Python script in a DNS server’s record, increasing malware’s level of stealth in the network’s traffic.”
To safeguard against this potential threat, users should exercise heightened vigilance, particularly regarding their cryptocurrency wallets, refrain from downloading content from dubious websites and opt for reliable cybersecurity solutions to enhance overall protection.