MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets

By neub9
3 Min Read

Jan 23, 2024


Malware / Cryptocurrency

Reports indicate that cracked software is targeting Apple macOS users with a newly discovered stealer malware capable of extracting system information and cryptocurrency wallet data.

Kaspersky found the malware in the wild, stating it’s designed to infect macOS Ventura 13.6 and later, impacting both Intel and Apple silicon processor architectures.

The attack uses booby-trapped disk image (DMG) files that include a program named “Activator” and a pirated version of legitimate software such as xScope.

Victims who open the DMG files are instructed to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app.

Launching Activator prompts the victim to enter the system administrator password, allowing it to execute a Mach-O binary with elevated permissions to launch the modified xScope executable.

According to security researcher Sergey Puzan, the attackers disabled the pre-cracked application versions, resulting in the user launching Activator.

The next phase involves establishing contact with a command-and-control (C2) server to retrieve an encrypted script by combining words from hard-coded lists and adding a random sequence of five letters as a third-level domain name.

A DNS request is then sent to retrieve three DNS TXT records, containing a Base64-encoded ciphertext fragment that is decrypted and assembled to construct a Python script, establishing persistence and functioning as a downloader by reaching out to “apple-health[.]org” every 30 seconds to download and execute the main payload.

Security researcher Sergey Puzan described this method as “seriously ingenious.” The backdoor, maintained and updated by the threat actor, is designed to run received commands, gather system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the infected host.

Trojanized versions of Exodus and Bitcoin Core wallets exfiltrate sensitive data to an actor-controlled server if found on the infected system.

Security researchers are warning that cracked software is increasingly being used to compromise macOS users with various forms of malware, including Trojan-Proxy and ZuRu.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *