January 18, 2024 at 10:51AM
Researchers from Jamf Threat Labs discovered a sneaky macOS backdoor hidden in trojanized apps on Chinese websites. The malware, “.fseventsd,” can compromise victims’ machines. It evades detection by imitating legitimate processes and uses a malicious library. The campaign highlights the risk from pirated apps and the increasing macOS targeting. Protection against such threats is crucial.
Key takeaways from the meeting notes are as follows:
– A sneaky macOS backdoor has been discovered that allows attackers to remotely control infected machines, hiding in trojanized applications on Chinese websites.
– The backdoor, disguised as the “.fseventsd” binary, bears resemblance to known malware but adds a new level of stealth.
– Researchers from Jamf Threat Labs have identified the poisoned apps and confirmed they communicate with attacker infrastructure.
– The malware behaves like malicious code from the Khepri open-source project and is designed to blend in with other processes on the operating system.
– The malware executes three main malicious activities, including a backdoor binary using the Khepri open source command-and-control (C2) and a downloader for setting up persistence and downloading additional payloads.
– The malware shares some similarities with the ZuRu malware, a previously identified data-stealing malware for macOS.
– The campaign demonstrates the existing risk for the macOS platform from pirated applications and highlights the increased frequency of attackers using malicious libraries within modified applications to compromise users.
– To protect the platform, it is advised that macOS enterprises use software that detects and blocks threats, prevents users from visiting websites known for hosting pirated software, and strongly discourages downloading pirated apps.
These takeaways summarize the key points discussed in the meeting notes regarding the discovered macOS backdoor and provide a clear understanding of the implications and recommended actions to protect against such threats.