Cybersecurity experts from Kaspersky have uncovered a sophisticated method employed by hackers to deliver information-stealing malware to macOS users. This insidious campaign employs a stealthy approach, utilizing DNS records to conceal malicious scripts and target users of macOS Ventura and later versions.
Cracked macOS Apps Delivering Infostealing Malware
The attack revolves around the distribution of cracked applications repackaged as PKG files, camouflaging a trojan within the seemingly harmless software.
The attack methodology was brought to light by researchers at cybersecurity firm Kaspersky, who dissected the stages of the infection chain. Victims unwittingly become part of the campaign by downloading and executing the malware, guided by installation instructions that prompt them to place the malicious file in the /Applications/ folder. The attackers leverage users’ expectations, disguising the malware as an activator for the cracked app they initially downloaded.
Technical Overview of the Attacks
Upon execution, a deceptive Activator window emerges, strategically designed to deceive victims into providing their administrator password. This deceptive tactic allows the malware to gain elevated privileges, paving the way for a broader and more damaging impact.
The sophistication of this campaign lies in its use of DNS records to obscure the malicious scripts, evading traditional detection methods and making it challenging for security measures to intervene. As users follow seemingly innocuous installation instructions, the trojan quietly establishes a foothold on the victim’s system, ready to carry out its information-stealing capabilities.
With user permission granted, the malware initiates its attack by executing a ‘tool’ executable (Mach-O) via the ‘AuthorizationExecuteWithPrivileges’ function. To further mask its activities, the malware checks for the presence of Python 3 on the system and installs it if absent, cleverly disguising the entire process as benign “app patching.”
Following this stealthy initiation, the malware establishes contact with its command and control (C2) server, operating under the deceptive guise of “apple-health[.]org.” The objective is to retrieve a base64-encoded Python script from the server, capable of executing arbitrary commands on the compromised device.
Communication with the C2 Server
Researchers also uncovered an intriguing method employed by the threat actor to communicate with the C2 server. Using a combination of words from two hardcoded lists and a randomly generated sequence of five letters, the malware constructs a third-level domain name, forming a URL. This URL, when used to make a request to a DNS server, seeks a TXT record for the domain, according to findings from cybersecurity experts at Kaspersky.
This method allows the malware to effectively conceal its nefarious activities within normal web traffic. The Python script payload, encoded as TXT records, is downloaded from the DNS server without arousing suspicion, as these requests appear typical and innocuous.
Functioning as a downloader, this script’s primary task was to fetch a second Python script, serving as a backdoor with extensive capabilities. Once activated, the backdoor script clandestinely gathered and transmitted sensitive information about the infected system, including OS version, directory listings, installed applications, CPU type, and external IP address.
The ‘tool’ executable employed in the attack demonstrated another facet of the malware’s strategy by modifying the ‘/Library/LaunchAgents/launched.
During their examination, Kaspersky researchers observed that the command and control (C2) server consistently provided upgraded versions of the backdoor script, suggesting ongoing development. However, no command execution was witnessed, leaving room for speculation about potential future functionalities yet to be implemented.
The Crypto Wallet Stealer
The downloaded script revealed a sinister twist as it contained functions designed to inspect the infected system for the presence of Bitcoin Core and Exodus wallets. If detected, the malware replaced these wallets with backdoored copies obtained from ‘apple-analyzer[.]com.’ The compromised wallets contained malicious code engineered to send sensitive information, including seed phrases, passwords, names, and balances, directly to the attacker’s C2 server. Users who unsuspectingly comply with unexpected prompts to re-enter wallet details risk having their wallets emptied.
Kaspersky emphasized that the cracked applications used as vectors in this campaign serve as convenient gateways for malicious actors to infiltrate users’ computers. While the use of cracked applications for malware delivery is not new, this campaign exemplifies the adaptability of threat actors in devising innovative methods, such as concealing the payload within a domain TXT record on a DNS server.
This revelation is not surprising at all, considering the overall macOS malware trends and the prevail of infostealers evading XProtect’s defense mechanisms.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: