Security researchers have discovered a new and previously unknown macOS malware that operates illegal software to infiltrate users’ systems.
The malware, other than unauthorized installations of the proxy server, proved to be very advanced in his approach, according to a new advice from Kaspersky.
Pre-packed pre-contracted applications such as PKG files, qualified malignant actors a Trojan-Proxy and a Post-Install script in apps that circulate on pirating websites. This malware, aimed at MacOS Ventura 13.6 and newer versions, operated on both Intel processors and Apple Silicon machines.
Called “Activator.App”, the malware showed an apparently non -advanced GUI with a patch button. A further inspection, however, unveiled a Python 3.9.6 installation program and an extra mach-o file with the name “Tool” in the Sources folder. Activator used an outdated function, authorization execution -enwith privileges, to obtain administrator rights. This ultimately made the implementation of a Python script possible that the downloaded app has patched.
The second phase of the malware included reaching a command-and-control (C2) server by making a DNS request for a TXT record with an encrypted script. The decoded script, carried out by a tool, displayed options such as killing reporting center processes and installing launch agents for persistent version.
Phase three of the malware revealed a back door that communicated with the C2 server and send information about the infected system, installed applications and more. Kaspersky clarified that although the server did not publish commands during the study, it hinted on the continuous development of the malware campaign.
Finally, phase four of the malware unveiled a crypto-stalking component, to replace legitimate cryptocurrency portfolios by infected versions. The malware operators have a malicious code embedded in applications such as Exodus and Bitcoin-QT to steal the wallet information of users.
Read more about MacOS malware: Powerful Trojans focused on macOS users
According to Sergey Puzan, a security investigator at Kaspersky, this discovery emphasizes the sensitivity of users who use cracked applications.
“Cyber criminals use illegal apps to easily access the computers of users and admin privileges by asking them to enter the password. The makers show unusual creativity by hiding a Python script in the record of a DNS server, which increases the stealth in the traffic.” “
To protect against this potential threat, users must exercise increased vigilance, in particular with regard to their cryptocurrency portfolios, to abandon the download of dubious websites and opt for reliable cyber security solutions to improve overall protection.