Mac users targeted by New proxy malware through pirated software
.jpg)
Cybercriminals are targeting Mac users with a new proxy trojan malware bundled with popular, copyrighted macOS software being offered on warez sites. Proxy trojan malware infects computers, turning them into traffic-forwarding terminals used to anonymize malicious or illegal activities such as hacking, phishing and transactions for illicit goods. Selling access to proxies is a lucrative business which has given birth to massive botnets. Mac devices have also not being spared by this widespread activity. The latest campaign pushing proxy malware was discovered by Kaspersky, which reports the earliest submission of the payload on VirusTotal dates to April 28, 2023.
.jpg)
The campaign takes advantage of people's willingness to risk their computer's security to avoid paying for premium apps. Kaspersky found 35 image editing, video compression and editing, data recovery and network scanning tools laced with the proxy trojan to bait users looking for free versions of commercial software. Following are the most popular of the trojanized software in this campaign:-
4K Video Donwloader Pro
Aissessoft Mac Data Recovery
Aiseesoft Mac Video Converter Ultimate
AnyMP4 Android Data Recovery for Mac
Downie 4
FonePaw Data Recovery
Wondershare UniConverter 13
SQLPro Studio
Artstudio Pro
.jpg)
Unlike the legitimate software, which are distributed as disk images, the trojanized versions are downloaded as PKG files. Compared to disk image files, which are the standard installation medium for these programs, PKG files are far riskier as they can execute scripts during the installation of the app. Because installer files are executed with administrator rights, any scripts they execute gain the same permissions when performing dangerous actions, including file modification, file auto run and command execution. In this case, the embedded scripts are activated after the program's installation to execute the trojan, a WindowServer file and make it appear as a system process.
.jpg)
WindowServer is a legitimate system process in macOS responsible for managing the graphic user interface. The trojan aims to blend with routine system operations and elude user scrutiny. The file tasked with launching WindowServer upon OS startup is named "GoogleHelperUpdater.plist," mimicking a Google configuration file, again, aiming to be overlooked by the all. Upon launch, the trojan connects to its C2 (command and control) server via DNS-over-HTTPS (DoH) to receive commands relating to its operation. Although these commands in action were not observed, but through analysis, deduced that the client supports creating TCP or UDP connections to facilitate proxying. In addition to the macOS campaign using PKGs, the same C2 infrastructure hosts proxy trojan payloads for Android and Windows architectures and same operators likely target a wide range of systems of different users.
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)
.jpg)