A sneaky macOS backdoor that allows attackers to remotely control infected machines has been hiding in trojanized applications for the platform that are hosted on Chinese websites.
Researchers from Jamf Threat Labs discovered the series of poisoned apps being hosted on the Chinese site macyy[.
It does this by renaming itself in case anyone encounters the malware while trying to investigate system processes.
Otherwise the functionality acts like the Khepri backdoor, allowing the attacker to collect information about the system, download and upload files if the user has granted the permissions, and open a remote shell on the computer, he says.
Similar to ZuRu Malware The researchers initially discovered the malware in the form of an executable named.
Fseventsd that they noticed while triaging various threat alerts.
The executable was notable for being hidden - evidenced by its name starting with a period - and also for using the name of a process built into the OS. It also was not blocked by Apple nor at the time was it flagged as malicious on VirusTotal.
Using VirusTotal, the researchers determined that the.
Fseventsd binary was originally uploaded as part of a greater DMG file that also was backdoored on three other pirated apps.
An Internet search traced the apps to the Chinese website, which also provides links to many other pirated applications.
A deeper analysis of the file found that the malware hidden inside the apps executes three malicious activities.
The first is a malicious dylib, a library loaded by the application that acts as a dropper executing each time the application is opened.
That library subsequently downloads the following two malicious processes: a backdoor binary downloaded that uses the Khepri open source command-and-control and post-exploitation tool, and a downloader that sets up persistence and downloads additional payloads.
The researchers found that the malware shares a few similarities with the ZuRu malware, a previously identified data-stealing malware for macOS that spreads via sponsored search results on Baidu and installs the Cobalt Strike agent on compromised systems.
While the final payloads are different, the two malwares share similarities in the applications that they compromise, the dylib techniques that both use, and the domains that they use for infrastructure, Bradley says.
MacOS at Risk Overall, the campaign demonstrates once again the existing risk for the macOS platform from pirated applications, but more importantly outlines the increased frequency of attackers using a malicious library placed within a modified application to compromise users.
There has been a notable and increased targeting of the platform by attackers in the last few years, who are now even creating custom macOS malware including infostealers that can crack Apple's built-in software protections.
Bradley advised that enterprises use software that both detects and blocks threats on macOS as well as prevents users from visiting websites that are known to be used for hosting pirated software.
Further, all macOS users are strongly discouraged from downloading pirated apps, whether at home, while using a corporate VPN, or in the office.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 18 Jan 2024 15:50:17 +0000