New Malware Disguised as Popular macOS Apps Uncovered by Jamf Threat Labs
Jamf Threat Labs has recently unveiled a new malware threat affecting macOS, bearing striking similarities to the ZuRu malware discovered in 2021. This malicious software is currently being disseminated through pirated applications hosted in China, raising concerns about Mac users’ cybersecurity.
When users launch these pirated applications, a malicious dynamic library, attached to the app, activates a backdoor mechanism utilizing the open-source Khepri post-exploitation tool. This sophisticated approach allows the malware to evade detection by antivirus software, granting it covert access to the target Mac. Once established, the malware establishes communication with the attacker, providing them with the ability to load additional software onto the compromised Mac and exert control.
Jamf’s discovery of this malware was made during investigations into other cybersecurity threats. The executable file named “.fseventsd” drew attention due to its hidden nature and shared name with a legitimate macOS process. Notably, this executable lacked Apple’s digital signature and managed to evade detection as malicious on VirusTotal, a platform specializing in the analysis of suspicious files.
The malicious apps found to harbor this malware include FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit. Jamf suggests that this malware could be considered a successor to the ZuRu malware due to its targeting of specific applications, modified load commands, and the infrastructure utilized by the attackers.
To Safeguard Against Malware Attacks:
Jamf advises that this new malware strain appears to primarily target victims in China, particularly those who download pirated software. Users can enhance their cybersecurity by exclusively using legitimately acquired apps from reputable sources such as the App Store, known for its rigorous software security checks, or directly from developers.
Apple has already incorporated several security measures into macOS and routinely releases security patches through operating system updates. It is crucial for users to promptly install these updates as they become available. In cases where Apple temporarily withdraws an update due to issues, the company will reissue it once it has been properly revised and corrected.