Mac users face a fresh threat from proxy malware delivered via pirated software.

0 0
Read Time:2 Minute, 13 Second

Mac users are now under the threat of a recently identified proxy trojan malware distributed alongside pirated macOS software on warez websites. This malicious software transforms infected computers into traffic-forwarding nodes, enabling the anonymization of various malicious and illegal activities, including hacking, phishing, and the trade of illicit goods.

The sale of proxy access has become a profitable enterprise, contributing to the creation of extensive botnets. Unfortunately, Mac devices have not escaped the reach of this widespread cybercriminal activity.

Kaspersky recently identified the most recent proxy malware campaign, noting that the earliest submission of the payload on VirusTotal dates back to April 28, 2023.

The campaign exploits individuals’ willingness to compromise their computer’s security in order to obtain premium apps without payment.

Kaspersky identified 35 tools for image editing, video compression and editing, data recovery, and network scanning that have been compromised with a proxy trojan to lure users seeking free versions of commercial software.

Among the trojanized software featured in this campaign are:

  1. 4K Video Downloader Pro
  2. Aiseesoft Mac Data Recovery
  3. Aiseesoft Mac Video Converter Ultimate
  4. AnyMP4 Android Data Recovery for Mac
  5. Downie 4
  6. FonePaw Data Recovery
  7. Sketch
  8. Wondershare UniConverter 13
  9. SQLPro Studio
  10. Artstudio Pro

Kaspersky notes that unlike the authentic software, which is distributed as disk images, the trojanized versions are downloaded as PKG files.

PKG files pose a greater risk compared to disk image files, the standard installation medium for these programs, as they can execute scripts during the app installation process. Since installer files run with administrator rights, any scripts they execute inherit the same permissions, allowing them to perform potentially harmful actions such as file modification, autorun, and command execution.

In this instance, the embedded scripts activate after the program’s installation to execute the trojan, specifically a WindowServer file, and disguise it as a system process.

WindowServer is a legitimate system process integral to macOS, responsible for managing the graphical user interface. The trojan is designed to seamlessly integrate with regular system operations, evading user detection.

The file responsible for initiating WindowServer during OS startup is labeled “GoogleHelperUpdater.plist,” resembling a Google configuration file to further escape user attention.

Upon activation, the trojan establishes a connection with its Command and Control (C2) server using DNS-over-HTTPS (DoH) to receive operational commands.

While Kaspersky did not directly observe these commands in action, their analysis led them to conclude that the client supports the creation of TCP or UDP connections to facilitate proxying.

In addition to the macOS-focused campaign utilizing PKG files, the same C2 infrastructure hosts proxy trojan payloads tailored for Android and Windows architectures, indicating that the operators likely target a diverse range of systems.

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *