New Malware Threat Detected in Pirated macOS Apps
Security researchers have issued a warning regarding a novel strain of malware that has been discovered hidden within commonly pirated macOS applications. Once these infected apps are installed, they surreptitiously execute trojan-like malware in the background of a user’s Mac, leading to potentially dire consequences.
The revelation of this malware comes from the diligent efforts of Jamf Threat Lab researchers, who encountered an executable file named “.fseventsd” while investigating several threat alerts. Interestingly, this executable adopts the name of an authentic process within the macOS operating system, which is employed to monitor file and directory changes and to store event data for functions such as Time Machine backups. However, it’s crucial to note that “.fseventsd” should not be an executable file but rather a native log. What’s even more concerning is that Apple had not signed this suspicious file.
Jamf Threat Labs has emphasized the need for further scrutiny in cases like this. Using VirusTotal, the researchers were able to trace the origins of the enigmatic “.fseventsd” binary, which was initially uploaded as part of a larger DMG file.
Further investigation by researchers Ferdous Saljooki and Jaron Bradley revealed the presence of five disk image (DMG) files containing altered code from commonly pirated applications. These apps included FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.
The malicious intent behind these applications becomes apparent when they are hosted on Chinese pirating websites with the aim of ensnaring victims. Once activated, the malware proceeds to clandestinely download and execute multiple payloads in the background, compromising the victim’s computer without their knowledge.
Although these apps may appear to function as expected on the surface, a dropper operates covertly in the background, establishing communication with an attacker-controlled infrastructure.
At a more technical level, the “.fseventsd” binary executes three malicious activities in sequence. First, it loads a malicious dynamic library (dylib) file, which acts as a dropper, launching each time the application is opened. This is followed by the download of a backdoor binary that leverages the Khepri open-source command-and-control (C2) and post-exploitation tool. Lastly, a downloader is activated, which ensures persistence and fetches additional payloads.
The Khepri open-source project provides attackers with a range of capabilities, including the ability to gather information about the victim’s system, transfer files, establish a remote shell, and more. It is speculated that this malware may be a successor to the ZuRu malware, given its targeted applications, modified load commands, and attacker infrastructure.
Notably, the Khepri backdoor remains concealed in a temporary file, which vanishes upon the victim’s Mac rebooting or shutting down. However, the malicious dylib will reload the next time the user opens the infected application.
For user protection, Jamf suggests being cautious about pirated software, as this attack appears to primarily target victims in China on domains ending in “.cn.” Users should exercise caution and not hastily disregard security warnings from macOS Gatekeeper when installing software from unverified sources.
Additionally, it is advisable to install reputable antivirus and anti-malware software. While this specific malware strain can occasionally evade detection, an extra layer of defense on a Mac is a prudent practice to adopt.