Security researchers have recently uncovered a new macOS malware that is specifically designed to target users who download pirated software. This sophisticated malware, identified by Kaspersky, goes beyond the typical unauthorized proxy server installations commonly seen in pirated software.
The malware, known as “Activator.app,” is distributed through pre-cracked applications disguised as PKG files found on pirating websites. Once downloaded and installed, the malware utilizes a Trojan proxy and a post-install script to gain access to the user’s system. It is capable of infecting macOS Ventura 13.6 and newer versions, running on both Intel processors and Apple silicon machines.
Upon closer inspection, researchers found that Activator.app contains a Python 3.9.6 installer and an additional Mach-O file named “tool” within the Resources folder. By exploiting an outdated function, AuthorizationExecuteWithPrivileges, the malware is able to obtain administrator privileges, allowing it to execute a Python script that patches the downloaded application.
The malware operates in multiple stages, with the second stage involving communication with a command-and-control (C2) server through a DNS request for an encrypted script. This script, when decrypted and executed, has the capability to terminate NotificationCenter processes and install launch agents for persistent operation.
In the third stage, Activator.app establishes a backdoor connection to the C2 server, sending information about the infected system and installed applications. Although no commands were issued by the server during the investigation, it suggests ongoing development of the malware campaign.
The final stage of the malware involves a crypto-stealing component that targets cryptocurrency wallets. Legitimate wallet applications like Exodus and Bitcoin-Qt are compromised with malicious code, allowing the operators to steal users’ wallet information.
Sergey Puzan, a security researcher at Kaspersky, warns that users who download cracked applications are at risk of falling victim to cybercriminals. He emphasizes the importance of avoiding suspicious websites, especially when it comes to cryptocurrency transactions, and recommends using reliable cybersecurity solutions to enhance protection against such threats.
To protect against this new malware strain, users are advised to exercise caution when downloading software from unofficial sources, regularly update their security software, and remain vigilant against potential threats. By staying informed and taking proactive measures, users can reduce their risk of falling victim to malicious attacks targeting macOS systems.