Trojan-Proxy Threat Expands Across macOS, Android and Windows

Written by

Security researchers have identified a new threat involving cracked applications distributed by unauthorized websites, concealing a Trojan-Proxy designed to compromise victims’ devices. 

Cybercriminals have been taking advantage of users seeking free software tools, exploiting their willingness to download from questionable sources, and ultimately exposing them to malware installations.

According to a new advisory published by Kaspersky today, the infected applications, presented as .PKG installers on macOS, differ from the original, unaltered versions usually distributed as disk images. These installers run scripts before and after installation, enabling the attackers to execute malicious code post-installation. 

The malware script, found in the /Contents/Resources/ directory, replaces critical files such as WindowServer and p.plist in the victim’s system. This grants attackers administrator permissions and allows the malware to operate undetected.

The p.plist file acts as a configuration file, mimicking a Google configuration file to auto-start the WindowServer file as a system process after the operating system loads. The WindowServer universal format binary file is used to bypass detection by security measures. 

Once initiated, it creates log files and attempts to obtain a command-and-control (C2) server IP address through DNS-over-HTTPS (DoH), concealing its communication in regular HTTPS traffic.

Read more on similar attacks: High-Severity Flaws Fixed in Firefox 115 Update

Despite multiple versions of the Trojan being discovered, anti-malware vendors have not flagged any as malicious. The Trojan connects with the C2 server via WebSocket, awaiting commands. Notably, during the research, the server responded only with the “Await next command” (0x38) message, suggesting a potential stealthy communication method.

Beyond macOS, researchers uncovered Trojan variations targeting Android and Windows platforms, all connecting to the same C2 server. 

“Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs and other illicit goods,” reads the advisory.

The advisory also contains a list of Indicators of Compromise (IoC) for various samples.

Image credit: Farknot Architect /

What’s hot on Infosecurity Magazine?