December 3, 2023 at 04:11PM
Cybercriminals are distributing a proxy trojan via trojanized macOS software on warez sites. The malware, which converts infected Macs into proxies for illegal activities, is disguised in pirated applications and utilizes PKG installer files that execute malicious scripts with admin rights. Kaspersky’s investigation revealed the multi-platform campaign and the malware’s capability to connect to a C2 server and facilitate proxying.
Key Takeaways from the Meeting Notes:
1. A new proxy trojan malware campaign is targeting Mac users through popular macOS software provided on warez (pirated software) websites.
2. The proxy trojan turns infected Macs into devices that forward web traffic, which is used to anonymize malicious activities such as hacking, phishing, and illegal transactions.
3. Access to such proxies is a profitable market and has resulted in large botnets, with Mac devices increasingly being affected.
4. The campaign was uncovered by Kaspersky, with the first known instance of the malware dating back to April 28, 2023.
5. People looking for free versions of commercial apps are being exploited through the distribution of 35 trojanized applications, including image editors, video tools, data recovery, and network scanning software.
6. Notable trojanized applications listed include: 4K Video Downloader Pro, Aiseesoft Mac Data Recovery and Video Converter Ultimate, AnyMP4 Android Data Recovery for Mac, Downie 4, FonePaw Data Recovery, Sketch, Wondershare UniConverter 13, SQLPro Studio, and Artstudio Pro.
7. The trojanized software differs from legitimate versions as they are distributed via PKG files instead of disk images, which pose higher risks as they can execute scripts with administrator permissions during installation.
8. An embedded script is executed after installation that activates the trojan, disguised as a legitimate macOS process named WindowServer, which is tasked with managing the GUI of the operating system.
9. The trojan is engineered to evade detection by naming its startup launch file “GoogleHelperUpdater.plist”, which sounds like a legitimate Google configuration file.
10. The malware communicates with its command and control server using DNS-over-HTTPS to receive operational commands, which could facilitate the creation of TCP or UDP connections for its proxying activities.
11. The same C2 infrastructure involved in the macOS campaign is also hosting proxy trojan payloads for Android and Windows systems, indicating that the campaign operators are targeting a broad spectrum of devices.