MacOS malware hides in cracked apps and targets crypto wallets

Crypto Wallets

Cracked software has been observed infecting Apple macOS users with a previously undocumented stealer malware capable of collecting system information and cryptocurrency wallet data.

Kaspersky, who identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating that the malware can infect Macs on both Intel and Apple silicon processor architectures.

The attack chains use booby-trapped disk image (DMG) files that contain a program called “Activator” and a pirated version of legitimate software such as xScope.

Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a so-called patch and run the xScope app.

However, when you launch Activator, a prompt appears asking the victim to enter the system administrator password, which allows them to run a Mach-O binary with elevated permissions to launch the modified xScope executable.

“The trick was that the malicious actors took pre-cracked application versions and added a few bytes to the beginning of the executable, which disabled it and allowed the user to launch Activator,” said security researcher Sergey Puzan.

The next phase involves establishing contact with a command-and-control (C2) server to retrieve an encrypted script. The C2 URL is in turn built by combining words from two hardcoded lists and adding a random string of five letters as a third-level domain name.

Crypto wallets

A DNS request for this domain is then sent to retrieve three DNS TXT recordseach containing a Base64 encoded ciphertext fragment that is decrypted and assembled to construct a Python script, which in turn establishes persistence and functions as a downloader by contacting “apple-health[.]org” every 30 seconds to download and execute the main payload.

“This was a fairly interesting and unusual way to contact a command-and-control server and hide activity in the traffic, and it guaranteed the download of the payload, since the response message came from the DNS server” , Puzan explained, describing it as “seriously ingenious.”

The backdoor, which is actively maintained and updated by the threat actor, is designed to execute received commands, collect system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the infected host.

If found, the applications are replaced with trojanized versions downloaded from the domain “apple-analyzer[.]com” that are equipped to exfiltrate the seed phrase, wallet unlock password, name, and balance to an actor-controlled server.

“The latest payload was a backdoor that could run all scripts with administrative privileges and replace the Bitcoin Core and Exodus crypto wallet applications installed on the machine with infected versions that stole secret recovery phrases once the wallet was unlocked,” Puzan said.

This development comes as cracked software is increasingly becoming a channel to compromise macOS users with a variety of malware, including Trojan-Proxy and ZuRu.

#MacOS #malware #hides #cracked #apps #targets #crypto #wallets

Notify of
Inline Feedbacks
View all comments
Previous Post
Malicious NPM Packages

Malicious NPM packages exfiltrate hundreds of developer SSH keys via GitHub

Next Post
DDoS Attack

Gcore Radar warns of a new era of DDoS attacks

Related Posts