CyberSecurityBoard
Sponsor Register Login

Analysis of a new macOS Trojan-Proxy

Illegally distributed software historically has served as a way to sneak malware onto victims' devices.
They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.
We recently discovered several cracked applications distributed by unauthorized websites and loaded with a Trojan-Proxy.
Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods.
Unlike the original, untampered with, applications typically distributed as a disk image, the infected versions came in the form of.
These files are handled by the Installer dedicated utility in macOS, and they can run scripts before and after actual installation.
In the examples we gathered, scripts were run only after the application was installed.
A look at the script code reveals that the /Contents/Resources/ directory contains two suspicious files in addition to the cracked application resources: WindowServer and p.plist.
Plist files with the two files from the resources folder, and grants administrator permissions to these.
As an installer often requests administrator permissions to function, the script run by the installer process inherits those.
We have found several versions of the application, with the earliest one uploaded to VirusTotal on April 28, 2023.
None of the versions were flagged by any anti-malware vendors as malicious.
The Trojan creates log files and attempts to obtain a C&C server IP address via DNS-over-HTTPS, thus making the DNS request indistinguishable from a regular HTTPS request and hiding it from traffic monitoring.
Example of GET request in C&C IP address function.
After receiving a response, it establishes a connection with the C&C server at register[.
Ca via WebSocket by sending the application version and expecting a command with a relevant message in return.
During our research efforts, we did not receive a server response containing any command but 0x38. An analysis of the program code suggests that the 0x34 command should be accompanied by a message containing the IP address to connect to, the protocol to use and the message to send.
Unlike its predecessors, the latest of the versions we know of cannot check its own version or update.
Older versions obtain a C&C IP address by means of a regular DNS request rather than DoH. All versions of the Trojan write logs to log.
Besides the macOS application, we discovered several specimens for Android and Windows that connected to the same C&C server.


This Cyber News was published on securelist.com. Publication date: Wed, 06 Dec 2023 10:13:04 +0000


Cyber News related to Analysis of a new macOS Trojan-Proxy

The Exploration of Static vs Dynamic Code Analysis - Two essential methodologies employed for this purpose are Static Code Analysis and Dynamic Code Analysis. Static Code Analysis involves the examination of source code without its execution. In this exploration of Static vs Dynamic Code Analysis, ...
5 months ago Feeds.dzone.com
Lookback Analysis in ERP Audit - This article explores the interdependence between lookback analysis and access governance and how it can transform modern ERP audits. From a Segregation of Duties perspective, Lookback Analysis is a critical tool in ensuring control effectiveness and ...
1 month ago Securityboulevard.com
Pirated Software Puts Mac Users at Risk as Proxy Malware Emerges - Malware is being targeted at Mac users who receive pirated versions of popular apps from warez websites after they choose to download them from those websites. Various reports state that cybercriminals are infecting macOS devices with proxy trojans ...
7 months ago Cysecurity.news
New proxy malware targets Mac users through pirated software - Cybercriminals are targeting Mac users with a new proxy trojan malware bundled with popular, copyrighted macOS software being offered on warez sites. Proxy trojan malware infects computers, turning them into traffic-forwarding terminals used to ...
7 months ago Bleepingcomputer.com
Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets - Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting and web chat APIs. In this article, we'll describe some of the tactics used by ...
6 months ago Unit42.paloaltonetworks.com
VB.NET Proxy and VPN Check with IP2Location.io - Virtual Private Network servers are proxy servers that people use daily when browsing the Internet. As most of us are aware, websites track their visitors for advertising and marketing purposes. That's the same reason that people use residential ...
6 months ago Feeds.dzone.com
CVE-2024-37891 - urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* ...
2 weeks ago
Cracked macOS Software Laced with New Trojan Proxy Malware - Kaspersky recently uncovered the most recent Trojan Proxy malware campaign, revealing that the earliest submission of the payload on VirusTotal can be traced back to April 28, 2023. According to the latest research from cybersecurity researchers at ...
6 months ago Hackread.com
Android malware and unwanted software statistics for Q1 2024 - Over 389,000 malicious installation packages were detected, of which: 11,729 packages were related to mobile banking Trojans, 1,990 packages were mobile ransomware Trojans. The rapid growth in the total number of attacks between Q2 and Q4 2023 is ...
1 month ago Securelist.com
2023 Updates in Review: Malware Analysis and Threat Hunting - Throughout ReversingLabs' 14-year history, our products have constantly excelled and improved to tailor the needs of our customers and match the changing cybersecurity threat landscape. This past year, we have delivered key improvements to ...
5 months ago Securityboulevard.com
Proxy Trojan Targets macOS Users for Traffic Redirection - A sophisticated proxy Trojan targeting macOS has been discovered and is being distributed through pirated versions of genuine business software, including editing tools, data recovery software, and network scanning applications. The Trojan operates ...
7 months ago Darkreading.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
3 months ago Techtarget.com
Socks5Systemz proxy service infects 10,000 systems worldwide - A proxy botnet called 'Socks5Systemz' has been infecting computers worldwide via the 'PrivateLoader' and 'Amadey' malware loaders, currently counting 10,000 infected devices. The malware infects computers and turns them into traffic-forwarding ...
7 months ago Bleepingcomputer.com
CISA makes its "Malware Next-Gen" analysis system publicly available - It was originally designed to allow U.S. federal, state, local, tribal, and territorial government agencies to submit suspicious files and receive automated malware analysis through static and dynamic analysis tools. Yesterday, CISA released a new ...
2 months ago Bleepingcomputer.com
Analysis of a new macOS Trojan-Proxy - Illegally distributed software historically has served as a way to sneak malware onto victims' devices. They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer ...
7 months ago Securelist.com
Sophisticated macOS Infostealers Get Past Apple's Built-In Detection - Increasingly sophisticated infostealers are targeting macOS with the capability to evade Apple's built-in malware protection, as attackers are becoming more savvy about how to crack static signature-detection engines like the platform's proprietary ...
5 months ago Darkreading.com
Best of 2023: Diamond Model of Intrusion Analysis: A Quick Guide - Any intrusion into a network calls for a thorough analysis to give security teams cyber intelligence about different threats and to help thwart similar future attacks. Effective incident analysis has long been held back by uncertainty and high false ...
6 months ago Securityboulevard.com
Trojan-Proxy Threat Expands Across macOS, Android and Windows - Security researchers have identified a new threat involving cracked applications distributed by unauthorized websites, concealing a Trojan-Proxy designed to compromise victims' devices. Cybercriminals have been taking advantage of users seeking free ...
7 months ago Infosecurity-magazine.com
Trojan Malware Hidden in Cracked macOS Software, Kaspersky Says - Newly discovered cracked applications being distributed by unauthorized websites are delivering Trojan-Proxy malware to macOS users who are looking for free or cheap versions of the software tools they want. The malware can be used by bad actors for ...
6 months ago Securityboulevard.com
Chameleon Android Trojan Offers Biometric Bypass - A new variant of an Android banking Trojan has appeared that can bypass biometric security to break into devices, demonstrating an evolution in the malware that attackers now are wielding against a wider range of victims. Spread through phishing ...
6 months ago Darkreading.com
5 Best Ways a Malware Sandbox Can Help Your Company - Malware sandboxes are indispensable for threat analysis, but many of their capabilities are often overlooked. Malware sandboxes equipped with advanced AI capabilities can significantly enhance the training and productivity of junior security staff. ...
6 months ago Cybersecuritynews.com
CVE-2022-34321 - Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to ...
3 months ago
Any.RUN Sandbox Now Expanded to Analyze Linux Malware - The ANY.RUN sandbox has now been updated with support for Linux, further enhancing its ability to provide an isolated and secure environment for malware analysis and threat hunting. ANY.RUN allows malware analysts, SOC members, and DFIR team members ...
5 months ago Gbhackers.com
East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
7 months ago Cnn.com
Latest Information Security and Hacking Incidents - In recent times, the digital realm has become a battleground where cybercriminals constantly devise new tactics to breach security measures and exploit unsuspecting users. The emergence of the GoldPickaxe Trojan serves as a stark reminder of the ...
4 months ago Cysecurity.news

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)