January 22, 2024 at 05:31PM
Hackers are utilizing a covert approach to disseminate information-stealing malware to macOS users via DNS records. The campaign targets macOS Ventura and later users, leveraging cracked applications containing a trojan. Victims unknowingly execute the malware, granting it access to their system and potentially compromising sensitive data. Kaspersky’s findings underscore the evolution of malicious delivery methods.
Based on the meeting notes, here are the key takeaways:
1. Hackers are using a stealthy method to deliver information-stealing malware to macOS users through DNS records that hide malicious scripts.
2. The campaign targets users of macOS Ventura and later, relying on cracked applications repackaged as PKG files that include a trojan.
3. The malware is executed after being placed in the /Applications/ folder and disguised as an activator for a cracked app, leading to a prompt for the administrator password.
4. The malware contacts its command and control server, fetching a base64-encoded Python script that can run arbitrary commands on the breached device.
5. The Python script acts as a downloader for another script that provides backdoor access and gathers information about the infected system.
6. The threat actor hides its activity inside traffic by accessing the C2 server through a unique URL and receiving the Python script payload disguised as TXT records from the DNS server.
7. The campaign also involves replacing Bitcoin Core and Exodus wallets with backdoored copies that steal users’ information.
8. Cracked applications are identified as one of the easiest ways for malicious actors to access users’ computers, highlighting the importance of vigilance when downloading applications.
This summary provides a clear understanding of the key points discussed in the meeting notes.