In the space of little over a month, security firm Kaspersky discovered not one but two trojan malware that target macOS machines being spread via cracked software packages. This again shows the danger of downloading and installing pirated and cracked software to save a few dollars.
Security researchers determined the most recent trojan discovered to be a new malware strain, and samples were found targeting macOS Ventura 13.6 and later. This suggests that the threat actors behind the trojans were targeting only users of the newer operating system versions on both Intel processors and Apple Silicon machines.
When a victim downloads the cracked software package, they are downloading a disk image with the malware piggybacking on the disk image. The image contains a program named "Activator" and the application the user wants to install.
Once the disk image is opened, the victim is given instructions on installing what they believe to be the software package. If the victim follows the instructions, they will launch Activator and be presented with a simple password prompt.
Taking a deeper dive, researchers discovered that
the application in the Resources folder somehow contained a Python 3.9.6 installer and an extra Mach-O file with the name tool. The main Fat Mach-O file, tellingly named GUI, essentially implemented the PATCH button, clicking which launched two events:
The Python installer was copied to the temporary file directory: /tmp/
The tool executable in the resources folder ran with administrator privileges. To enable this, Activator employed the now-obsolete AuthorizationExecuteWithPrivileges function, which brought up the window with the admin password prompt.
Once the malware runs, the good news for the victim, if one can even call it that, is that the cracked application, indeed, does run. However, their macOS machine is now compromised, and the malware will begin installing a downloader as the next attack stage. The downloader will connect to a command-and-control server, sending further malware payloads.
Researchers noted an interesting way to do this by stringing together words from two hard-coded lists and adding a random sequence of five letters as a third-level domain name. With this URL, the sample requested a DNS server to get a TXT record for the domain.
This effectively hides the traffic, making detection harder, and guarantees the malicious payload's downloading. The malicious payload includes malware to create a backdoor onto the compromised machine and crypto-stealing malware.
The backdoor can harvest the following information from the victim's machine:
- Operating system version
- List of directories inside /Users/
- The blank "av" field presumably would be populated with information about the presence of security programs in subsequent versions.
- List of installed applications
- CPU type
- External IP address
- The blank "ver" field that presumably would be used for sending information about the payload version
As mentioned above, there is also a cryptocurrency-stealing feature to the trojan. The malware samples analyzed cover this by two functions named check_exodus_and_hash() and check_btccore_and_hash().
These functions are used to detect and replace cryptocurrency wallet details with those belonging to the threat actors to control and effectively steal cryptocurrency from victims.
In conclusion, researchers highlighted the dangers posed by the trojan by stating,
The aforementioned cracked applications are one of the easiest ways for malicious actors to get to users’ computers. To elevate their privileges, they just need to ask for the password, which typically causes no suspicions with users during software installation. That said, some of the things that the authors of the malware campaign had come up with, like placing the Python script inside a domain TXT record on the DNS server, were seriously ingenious. The script was later added to startup agents to download and execute the next-stage payload in an infinite loop, which enabled the malware operators to deliver updates to the infected machine. The final payload was a backdoor that could run any scripts with administrator privileges, and replace Exodus and Bitcoin crypto wallet applications installed on the machine with infected versions that stole secret recovery phrases the moment the wallet was unlocked.
Another macOS Trojan
The previously discovered trojan, also by security firm Kaspersky, allows threat actors to gain money by building a proxy server network or performing criminal acts on behalf of the victim. Criminal activity includes but is certainly not limited to the following: launching attacks on websites, companies, and individuals, buying guns, drugs, and other illicit goods.
Again, the trojan is spread via cracked software packages. The malicious part piggybacking on the package contains files that can grant administrator permissions. As an installer often requests administrator permissions to function, the script run by the installer process inherits those.
Since this is a common procedure when installing new software, the threat actors hope to be able to hide the malicious granting of administrator privileges.
Another way the malware prevents detection is the way it communicates with the command-and-control server used by the threat actors.
This is done by the malware upon installation of the malicious payload attempting to obtain a C&C server IP address via DNS-over-HTTPS (DoH), thus making the DNS request indistinguishable from a regular HTTPS request, effectively hiding it from some kinds of traffic monitoring.