Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.
“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.
The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.
The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.
The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.
Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.
“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.
Source: https://thehackernews.com/
