Photo: Farknot Architect / Shutterstock.com
A novel malware campaign has been observed leveraging cracked applications to infiltrate and compromise vulnerable macOS systems running on Ventura 13.6 or later.
This multi-stage malware employs intricate techniques to elevate detection and executes a series of malicious actions, including installing a backdoor and stealing cryptocurrency wallets.
Researchers from Securelist exposed this new malware’s tactics, techniques and procedures (TTP).
Stage 1: Activator.app
The malware initially manifests through an ‘Activator’ application, bundled with repackaged, pre-cracked applications as PKG files.
Primarily targeting macOS Ventura 13.6 and later versions, the operators instruct users to copy the infected app to /Applications/ and launch Activator.
A seemingly unsophisticated interface reveals a PATCH button that, when activated, triggers a chain of events involving a Python installer and a Mach-O file named ‘tool.’
Stage 2: Downloader
Upon successful activation, the malware proceeds to download a payload from a command-and-control (C2) server, concealing its activity by reaching out to a DNS server for TXT records. The encrypted script obtained from the C2 server contains a Python script that can modify system settings, autostart processes on reboot, and establish communication with the C2 server at apple-heath[.]org.
This stage of the attack creates a persistent connection to the server, periodically downloading and executing updated scripts.
Stage 3: Backdoor
The backdoor functionality is unveiled in the third stage, where the malware operators execute arbitrary commands on infected systems. The Python script, obtained from the C2 server, collects and sends valuable information to the attacker, including operating system details, user directories, installed applications, CPU type, and external IP address.
The script continually attempts to reach the C2 server for further instructions, indicating an ongoing and evolving campaign.
Stage 4: Cryptostealer
The malware extends its reach to cryptocurrency wallets. By checking for the presence of relevant crypto wallet applications, the malware replaces them with infected versions obtained from the server apple-analyserp[.]com.
The malicious actors not only compromise the wallets but also go as far as embedding code to steal wallet unlock passwords and recovery phrases, ensuring sustained damage even in the absence of new commands from the C2 server.
Researchers have cautioned against the use of cracked applications. However, they have also noticed an innovative use of DNS TXT records and persistent connections in the malware which showcases a growing trend towards more advanced and evasive tactics.
In the News: Meta rolls out DMA-compliant options across platforms
