January 19, 2024 at 08:51AM
Pirated macOS applications from Chinese websites harbor a backdoor allowing attackers remote control over infected machines. The malware, hosted on “macyy[.]cn,” uses a dropper to fetch backdoor and downloader components, which enable persistence and facilitate additional payloads. This echoes previous incidents involving the ZuRu malware, possibly indicating a successor. (Words: 50)
Based on the meeting notes about the Newsroom Malware and Endpoint Security, there are several key takeaways:
1. Pirated applications targeting Apple macOS users have been observed containing a backdoor that allows attackers remote control of infected machines.
2. The backdoored disk image (DMG) files have been modified to establish communications with actor-controlled infrastructure, and include legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
3. The malware includes a dropper component called “dylib” that fetches a backdoor and a downloader from a remote server to secretly compromise the victim’s machine.
4. The backdoor is fully-featured and built atop an open-source post-exploitation toolkit called Khepri, and is located in the “/tmp” directory, which allows it to be created again at the same location when the pirated application is loaded.
5. The downloader is designed to ensure persistence and send HTTP GET requests to an actor-controlled server.
Additionally, the researchers mentioned that the malware shares several similarities with ZuRu, and suggested that it may be a successor to the ZuRu malware given its targeted applications and modified load commands.
These key points summarize the main findings and potential implications of the malware targeting Apple macOS users through pirated applications.