Illegally distributed software historically has served as a way to sneak malware onto victims' devices.
They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.
We recently discovered several cracked applications distributed by unauthorized websites and loaded with a Trojan-Proxy.
Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods.
Unlike the original, untampered with, applications typically distributed as a disk image, the infected versions came in the form of.
These files are handled by the Installer dedicated utility in macOS, and they can run scripts before and after actual installation.
In the examples we gathered, scripts were run only after the application was installed.
A look at the script code reveals that the /Contents/Resources/ directory contains two suspicious files in addition to the cracked application resources: WindowServer and p.plist.
Plist files with the two files from the resources folder, and grants administrator permissions to these.
As an installer often requests administrator permissions to function, the script run by the installer process inherits those.
We have found several versions of the application, with the earliest one uploaded to VirusTotal on April 28, 2023.
None of the versions were flagged by any anti-malware vendors as malicious.
The Trojan creates log files and attempts to obtain a C&C server IP address via DNS-over-HTTPS, thus making the DNS request indistinguishable from a regular HTTPS request and hiding it from traffic monitoring.
Example of GET request in C&C IP address function.
After receiving a response, it establishes a connection with the C&C server at register[.
Ca via WebSocket by sending the application version and expecting a command with a relevant message in return.
During our research efforts, we did not receive a server response containing any command but 0x38. An analysis of the program code suggests that the 0x34 command should be accompanied by a message containing the IP address to connect to, the protocol to use and the message to send.
Unlike its predecessors, the latest of the versions we know of cannot check its own version or update.
Older versions obtain a C&C IP address by means of a regular DNS request rather than DoH. All versions of the Trojan write logs to log.
Besides the macOS application, we discovered several specimens for Android and Windows that connected to the same C&C server.
This Cyber News was published on securelist.com. Publication date: Wed, 06 Dec 2023 10:13:04 +0000