Introduction:
In the ever-evolving landscape of cybersecurity threats, a new player has emerged targeting macOS users. This threat, concealed within cracked apps, introduces a previously undocumented stealer malware capable of harvesting sensitive system information and cryptocurrency wallet data. In this blog post, we delve into the details of this MacOS malware, exploring its tactics and impact on unsuspecting users.
The Cracked Software Vector:
Recent observations by Kaspersky have uncovered a disturbing trend – cracked software infecting Apple macOS users. This malware specifically targets machines running macOS Ventura 13.6 and later, showcasing its adaptability to both Intel and Apple silicon processor architectures. The attack is orchestrated through booby-trapped disk image (DMG) files, housing a program named “Activator” alongside pirated versions of legitimate software like xScope.
The Deceptive Activation:
Upon opening the DMG files, users are prompted to move both files to the Applications folder and run the Activator component. What follows is a deceptive prompt requesting the victim’s system administrator password. This seemingly harmless action grants elevated permissions for the execution of a Mach-O binary, launching a modified xScope executable. The malicious actors cleverly disable the original executable, ensuring the user unwittingly launches Activator.
Cunning Command-and-Control Tactics:
The malware’s sophistication extends to its command-and-control (C2) infrastructure. After the initial compromise, the malware establishes contact with a C2 server to fetch an encrypted script. The C2 URL is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as a third-level domain name. This unique approach to contacting a C2 server involves retrieving three DNS TXT records through a DNS request. These records contain Base64-encoded ciphertext fragments that, when decrypted and assembled, form a Python script. This script ensures persistence and functions as a downloader, periodically reaching out to “apple-health[.]org” to download and execute the main payload.
Stealthy Payload Delivery:
Described as “seriously ingenious” by security researcher Sergey Puzan, the backdoor is actively maintained and updated by the threat actor. The malware is designed to run received commands, gather system metadata, and specifically target Exodus and Bitcoin Core wallets on the infected host. If these wallets are detected, the malware replaces them with trojanized versions downloaded from the domain “apple-analyser[.]com.” These trojanized versions are equipped to exfiltrate sensitive information such as seed phrases, wallet unlock passwords, names, and balances, sending them to a server controlled by the threat actor.
The Endgame:
The final payload of this stealthy MacOS malware is a backdoor with administrator privileges. This allows the threat actor to run any scripts on the infected machine. More critically, it replaces legitimate cryptocurrency wallet applications with infected versions that steal crucial recovery phrases the moment the wallet is unlocked. The implications are profound, as unsuspecting users may fall victim to the compromise of their crypto assets.
Rising Threat Landscape:
This revelation sheds light on the increasing use of cracked software as a gateway for various malware, including Trojan-Proxy and ZuRu. As users seek unauthorized versions of popular applications, they inadvertently expose themselves to these sophisticated cyber threats. It is crucial for macOS users to stay vigilant, adhere to security best practices, and only download software from official and trusted sources.
Conclusion:
The MacOS “Activator” malware serves as a stark reminder of the evolving tactics employed by cybercriminals. Users must exercise caution, especially when engaging with cracked software, as the consequences extend beyond the initial compromise. By understanding the intricacies of this threat, we empower ourselves to stay ahead of cyber adversaries and protect our digital assets in an increasingly interconnected world.
Interesting Article : Apple Urgent Update Required to Patch Critical Zero-Day Vulnerability CVE-2024-23222
Pingback: GoAnywhere MFT Critial Vulnerability CVE-2024-0204