Security researchers have discovered a new strain of malware hidden in some commonly pirated macOS apps. Once installed, the apps inadvertently execute Trojan-like malware in the background of the user’s Mac. What happens from here is not a good thing.
9to5Mac Security Bite is brought to you exclusively by Mosyle, Apple’s only unified platform. Making Apple devices business-ready and secure for enterprises is what we do. Our uniquely integrated approach to management and security combines Apple’s latest security solutions for fully automated hardening and compliance, next-generation EDR, AI-powered Zero Trust, and exclusive privilege management with the most powerful and advanced Apple MDM in the market. The result is a unified, fully automated Apple platform that is now trusted by more than 45,000 organizations to make millions of Apple devices operational effortlessly and affordably. Order your extended experience Today and understand why Mosyle is everything you need to work with Apple.
This is Security Bite, your weekly security-focused column on 9to5Mac. everyone, Arin Wycholis Provides insights into data privacy, exposes vulnerabilities, and highlights emerging threats within Apple’s vast ecosystem of more than 2 billion active devicess. Stay informed, stay safe.
While investigating several threat alerts, Jamf Threat Lab researchers found an executable file with the name .fseventsd. The executable uses the name of the actual process (not coincidentally) built into macOS used to track changes to files and directories and store event data for features like Time Machine backups. but, .fseventsd Not executable. It’s an original record. Furthermore, Jamf discovered that Apple had not signed the suspicious file.
“Such properties often require further investigation,” Jamf Threat Labs said in a blog post about the research by Firdaus Saljoki and Jaron Bradley. “Using VirusTotal, we were able to identify this strange appearance .fseventsd The binary file was originally uploaded as part of a larger DMG file.”
The duo discovered five disk image (DMG) files containing modified code for commonly hacked applications, including FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.
“These apps are hosted on Chinese hacking sites in order to win over victims,” Jamf explains. “Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s device.”
While on the surface, applications may look and behave as intended, and a dropper is executed in the background to establish communications with attacker-controlled infrastructure.
And at a higher level, .fseventsd The binary performs three malicious activities (in that order). First, the malicious dylib (dynamic library) file is loaded, which acts as a dropper that is executed every time the application is opened. This is followed by a backdoor binary download that uses the open source Khepri command and control (C2) tool, a post-exploitation tool, and a downloader that sets up stability and downloads additional payloads.
Jamf explains that the open source Khepri project could allow attackers to collect information about a victim’s system, download and upload files, and even open a remote shell. “This malware is likely a successor to the ZuRu malware due to its targeted applications, modified loading commands, and attacker infrastructure.”
Interestingly, since the Khepri backdoor remains hidden in a temporary file, it is deleted when the victim’s Mac is restarted or shut down. However, the malicious dylib will be loaded again the next time the user opens the application.
How to protect yourself
While Jamf believes this attack is primarily targeting victims in China (on (.)cn sites), it is important to remember the risks inherent in pirated software. Unfortunately, many of those who install pirated applications expect to see security alerts because the software is not legitimate. This quickly smashes the Install button, skipping any security warnings from macOS Gatekeeper.
Additionally, install reputable anti-virus and anti-malware software. Although this malware can sneak in undetected, having an extra layer of defense on your Mac is always a good practice.
More about security and privacy
Follow Arin: Twitter (X), LinkedIn, Topics
FTC: We use automatic affiliate links to earn income. more.