It has been reported that pirated software that targets Apple macOS users contains a backdoor that allows attackers to remotely control infected machines.
According to Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley,” These applications are being hosted on Chinese pirating websites in order to gain victims.”
The malware will “download and execute multiple payloads in the background once it has detonated in order to covertly compromise the victim’s machine”
Legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop are among the backdoored disk image ( DMG) files that have been altered to establish communications with actor-controlled infrastructure.
In addition to being hosted on a Chinese website called macyy [ .], the unsigned applications. incorporate a “dylib” dropper component that runs each time the application is opened in C.
The dropper then serves as a conduit for the backdoor ( bd ). log ) and a downloader ( fl01 ), respectively. log” ) from a distant server, which is used to configure persistence on the compromised machine and retrieve additional payloads.
Written to the path” /tmp/” is the backdoor. “test” is fully functional and was created on top of an open-source post-exploitation toolkit called Khepri. It will be deleted when the system shuts down because it is in the” /tmp” directory.
However, the next time the pirated application is loaded and the dropper is run, it will be made again in the same location.
The downloader, on the other hand, is routed to the hidden path “/Users/Shared/.” fseventsd,” after which it sends an HTTP GET request to an actor-controlled server and creates a LaunchAgent to ensure persistence.
The downloader is made to write the HTTP response to a fresh file at /tmp/ even though the server is no longer accessible. launch it after fseventsds.
According to Jamf, the malware and ZuRu, which has been seen in the past spreading via pirated applications on Chinese websites, have a number of similarities.
Given its targeted applications, modified load commands, and attacker infrastructure, the researchers speculated that this malware may be a successor to the ZuRu malware.