Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software

Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software

December 8, 2023 at 05:36AM

A new Trojan-Proxy malware targeting macOS users is spreading via pirated software from unauthorized websites. Kaspersky uncovered a cross-platform threat that also affects Windows and Android. The malware, disguised as legitimate software, uses .PKG installers with malicious scripts. It aims to use infected devices as proxy servers for criminal activities. Users are advised to avoid untrusted software sources.

Meeting Takeaways:

1. A new Trojan-Proxy malware targeting Apple macOS users has been identified, distributed through unauthorized websites offering cracked software.

2. The malware enables attackers to financially benefit by creating a proxy server network or engage in criminal activities, such as launching cyber-attacks, or purchasing illegal items like weapons and drugs.

3. The malware has cross-platform capabilities with evidence of related artifacts for Windows and Android devices found by Kaspersky.

4. The macOS malware is disguised as legitimate software related to multimedia, image editing, data recovery, and productivity but is distributed via .PKG installers with post-install scripts that initiate the malicious activity.

5. Upon installation, the installer may request administrator access, giving the malicious script the same level of permissions.

6. To avoid detection, the Trojan-Proxy masks itself as the WindowServer process, which is crucial for the graphical user interface in macOS.

7. The malware establishes a connection with a command-and-control server using encrypted DNS-over-HTTPS (DoH) and acts as a proxy, redirecting traffic through the infected device.

8. Samples of the malware were found on the VirusTotal scanning engine as of April 28, 2023.

9. Users are advised to protect themselves by only downloading software from trusted sources.

10. The content of the article from which these notes were derived can be followed up on Twitter and LinkedIn for further information.

Full Article