A new proxy trojan malware targeting Mac users has been identified. This malware is being distributed via pirated macOS software offered on various warez sites. The trojan is designed to turn infected computers into traffic-forwarding terminals, effectively anonymizing malicious or illegal activities like hacking, phishing, and illegal transactions. This type of malware is particularly lucrative for cybercriminals, contributing to the formation of massive botnets, with Mac devices now being targeted in these operations.
Kaspersky discovered that this latest campaign involved 35 different tools related to image editing, video compression and editing, data recovery, and network scanning, all laced with the proxy trojan. Unlike legitimate versions of these applications, which are typically distributed as disk image files, the trojanized versions are downloaded as PKG files. These files are riskier as they can execute scripts during installation, gaining administrator rights to perform potentially harmful actions like file modification, file autorun, and command execution.
The embedded scripts in these PKG files are activated after the program's installation, executing the trojan disguised as a system process called "WindowServer," a legitimate macOS process responsible for managing the graphic user interface. This disguise helps the trojan avoid user scrutiny. The trojan connects to its command and control (C2) server via DNS-over-HTTPS (DoH) to receive operational commands, which are speculated to include creating TCP or UDP connections for proxying activities.
REFERENCES
- https://www.bleepingcomputer.com/news/security/new-proxy-malware-targets-mac-users-through-pirated-software/#:~:text=Cybercriminals%20are%20targeting%20Mac%20users,being%20offered%20on%20warez%20sites
- https://otx.alienvault.com/pulse/65707986b5636647af655f97
TAGS
apple macos, piracy, trojan, windowserver, dns request, c ip, c server, windows, video converter, trojanproxy, virustotal, android
No comments:
Post a Comment