In a recent discovery by Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley, a disturbing trend has emerged targeting Apple macOS users. Pirated applications, primarily hosted on Chinese pirating websites, have been found to contain a backdoor capable of granting attackers remote control over infected machines.
The modus operandi of these malicious applications is alarming. The backdoored disk image (DMG) files, masquerading as legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop, have been surreptitiously modified to establish communications with actor-controlled infrastructure.
Upon detonation, the malware downloads and executes multiple payloads in the background, silently compromising the victim’s machine. The unsigned applications, primarily found on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib,” which is executed each time the application is opened.
The dylib serves as a conduit to retrieve a backdoor (“bd.log”) and a downloader (“fl01.log”) from a remote server. These components are then used to establish persistence and fetch additional payloads on the compromised machine.
The backdoor, located at “/tmp/.test,” is a fully-featured tool built atop the open-source post-exploitation toolkit called Khepri. Despite its temporary location in the “/tmp” directory, it is designed to be recreated each time the pirated application is loaded and the dropper is executed.
Similarly, the downloader, hidden at “/Users/Shared/.fseventsd,” creates a LaunchAgent to ensure persistence and communicates with an actor-controlled server.
Although the server is currently inaccessible, the downloader is crafted to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.
Jamf researchers have drawn parallels between this malware and ZuRu, a previously observed threat spread through pirated applications on Chinese sites. The similarities in targeted applications, modified load commands, and attacker infrastructure suggest the possibility that this new malware could be a successor to ZuRu.
The implications of these findings are critical for macOS users, especially those tempted to download pirated software. Such malware not only compromises the security and privacy of the user but also provides attackers with unwarranted access to their machines.
In light of this discovery, it is imperative for users to exercise caution and rely solely on legitimate sources for software acquisition. Additionally, maintaining up-to-date security software and practicing safe browsing habits can significantly reduce the risk of falling victim to such insidious attacks.
As the digital landscape continues to evolve, vigilance and awareness remain our most potent defenses against cyber threats. It is crucial that users remain informed and proactive in safeguarding their digital environments against potential infiltration and exploitation.
Source: The Hacker News
If you’re looking for more comprehensive details on this topic, I highly recommend checking out the informative article on The Hacker News. https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html
