MacOS users are being targeted with dangerous malware once again
New piece of malware is hiding in cracked macOS software
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Here is another reason why you shouldn’t download cracked or pirated software to your macOS devices - there’smalwarehiding within.
Cybersecurity researchers from Kaspersky are warning of a new piece of malware, built for theAppleecosystem, being distributed on websites claiming to offer cracked applications.
Victims would download a PKG file, thinking they were getting an activator for a cracked app they previously downloaded. They would place the PKG in the /Applications/ folder, as part of the instructions to “activate” the cracked piece of software.
macOS malware strikes again
On the surface, the malware works as “intended” - the victim will get a bogus Activator window, asking for the administrator password. Granted, the malware proceeds to contact its command and control (C2) server and get a script capable of running arbitrary commands on the target endpoint.
An interesting thing about this malware is how it contacts the C2 server at the correct URL - it pulls words from two hardcoded lists and adds a random sequence of five letters as its third-level domain name. That way, the malicious activity is hidden inside normal traffic.
“With this URL, the sample made a request to a DNS server as an attempt to get a TXT record for the domain”, Kasperskyexplained.
The final payload grants the attackers all kinds of advantages, from backdoor access, to information about the compromised system, and more. Among other things, the malware will look for Bitcoin Core and Exodus wallets on compromised devices, and if it finds them, replaces them with backdoored copies. Once the victim tries to log into their wallets again, they could have their funds drained almost instantly.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Kaspersky also said that while it was investigating the malware, the C2 came back with an upgraded version of the backdoor script, signaling continuous development. However, command execution was not yet available, Kaspersky said, suggesting that the malware is still work-in-progress.
ViaBleepingComputer
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
