Security researchers have discovered a new, previously unknown macOS malware that exploits pirated software to infiltrate user systems.
The malware, distinct from unauthorized proxy server installations, was found to be very sophisticated in its approach, according to a new advisory from Kaspersky.
By repackaging pre-cracked apps as PKG files, malicious actors embedded a Trojan proxy and post-installation script into apps circulating on hacked websites. This malware, targeting macOS Ventura 13.6 and newer versions, worked on both Intel processors and Apple Silicon machines.
Named “Activator.app,” the malware displayed a seemingly simple graphical interface with a PATCH button. However, further inspection revealed a Python 3.9.6 installer and an additional Mach-O file named “tool” in the Resources folder. Activator used a deprecated function, AuthorizationExecuteWithPrivileges, to gain administrator privileges. This ultimately allowed the execution of a Python script which fixed the downloaded application.
The malware’s second step was to reach a command and control (C2) server by performing a DNS query for a TXT record containing an encrypted script. The decrypted script, executed by a tool, displayed features such as killing NotificationCenter processes and installing launch agents for persistent execution.
The third stage of the malware revealed a backdoor that communicated with the C2 server, sending information about the infected system, installed applications and more. Kaspersky clarified that while the server did not issue any commands during the investigation, it did hint at the ongoing development of the malware campaign.
Finally, the fourth stage of the malware exposed a cryptocurrency theft component, replacing legitimate cryptocurrency wallets with infected versions. Malware operators have embedded malicious code into apps like Exodus and Bitcoin-Qt to steal users’ wallet information.
Learn more about macOS malware: Powerful Trojans targeting macOS users
According to Sergey Puzan, security researcher at Kaspersky, this discovery highlights the susceptibility of users who use cracked applications.
“Cybercriminals use hijacked applications to easily access users’ computers and gain administrator privileges by asking them to enter the password. The creators showed unusual creativity by hiding a Python script in a DNS server record, thereby increasing the level of malware stealth in network traffic.
To guard against this potential threat, users should exercise increased vigilance, especially regarding their cryptocurrency wallets, refrain from downloading content from questionable websites, and opt for reliable cybersecurity solutions to strengthen overall protection.