Threat Advisory

New Strain of Malware Discovered in Pirated macOS Applications

Threat: Malware
Criticality: High
[subscribe_to_unlock_form]

Summary:

A recent discovery reveals a new strain of malware embedded in pirated macOS applications, reminiscent of the ZuRu malware. Hosted on Chinese piracy websites, these malicious applications discreetly compromise victims' machines by downloading and executing multiple payloads upon detonation. The malware's deployment is facilitated through modified disk image DMG files, targeting popular software. Notably, the malware exploits a dropper component, known as "dylib," executed each time the infected application is opened.[/subscribe_to_unlock_form]

Summary:

A recent discovery reveals a new strain of malware embedded in pirated macOS applications, reminiscent of the ZuRu malware. Hosted on Chinese piracy websites, these malicious applications discreetly compromise victims' machines by downloading and executing multiple payloads upon detonation. The malware's deployment is facilitated through modified disk image DMG files, targeting popular software. Notably, the malware exploits a dropper component, known as "dylib," executed each time the infected application is opened.[emaillocker id="1283"]

The newly discovered macOS malware embedded in pirated applications utilizes advanced techniques, including a malicious dynamic library dylib and custom XOR encryption, to compromise victims’ machines discreetly. The malware, reminiscent of the ZuRu strain, operates by modifying legitimate applications, such as FinalShell, and introducing a dylib with an additional load command. This dylib, when executed, communicates with specified URLs to download encoded payloads, which are dynamically decoded in-memory. The malware includes a fully-fledged backdoor, named /tmp/.test built on the Khepri command and control project, exhibiting evasion techniques like replacing command-line arguments for seamless integration with the operating system. Additionally, a persistent downloader is deployed, establishing persistence, and executing arbitrary payloads from the attacker's server. The malware's similarities with ZuRu, coupled with its specific targeting and evasion tactics, suggest a potential successor in its evolution.

This malware, embedded in pirated macOS applications, underscores the risks associated with downloading software from untrusted sources. Users bypass security warnings, exposing themselves to covert compromise, as the malware operates within unsigned applications distributed online. With striking similarities to the previously observed ZuRu malware, it appears to target specific applications and infrastructure, possibly indicating a successor in its evolution. Security awareness, adherence to warnings, and the implementation of robust threat detection mechanisms are crucial to mitigating the impact of such threats and safeguarding against unauthorized access and data compromise.

Threat Profile:

 

References:

The following reports contain further technical details:

https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html

[/emaillocker]
crossmenu