Security researchers have identified a new threat involving cracked applications distributed by unauthorized websites, concealing a Trojan-Proxy designed to compromise victims' devices.
Cybercriminals have been taking advantage of users seeking free software tools, exploiting their willingness to download from questionable sources, and ultimately exposing them to malware installations.
According to a new advisory published by Kaspersky today, the infected applications, presented as.
PKG installers on macOS, differ from the original, unaltered versions usually distributed as disk images.
These installers run scripts before and after installation, enabling the attackers to execute malicious code post-installation.
The malware script, found in the /Contents/Resources/ directory, replaces critical files such as WindowServer and p.plist in the victim's system.
This grants attackers administrator permissions and allows the malware to operate undetected.
The p.plist file acts as a configuration file, mimicking a Google configuration file to auto-start the WindowServer file as a system process after the operating system loads.
The WindowServer universal format binary file is used to bypass detection by security measures.
Once initiated, it creates log files and attempts to obtain a command-and-control server IP address through DNS-over-HTTPS, concealing its communication in regular HTTPS traffic.
Despite multiple versions of the Trojan being discovered, anti-malware vendors have not flagged any as malicious.
The Trojan connects with the C2 server via WebSocket, awaiting commands.
Beyond macOS, researchers uncovered Trojan variations targeting Android and Windows platforms, all connecting to the same C2 server.
The advisory also contains a list of Indicators of Compromise for various samples.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Wed, 06 Dec 2023 16:30:23 +0000