Pirated apps targeting Apple macOS users have been observed to contain backdoors that allow attackers to remotely control infected computers.
“These applications are hosted on Chinese piracy websites and are designed to attract victims,” said Jamf Threat Lab researchers Ferdous Saljooki and Jaron Bradley.
“Once detonated, the malware downloads and executes multiple payloads in the background to covertly compromise the victim’s machine.”
The backdoor disk image (DMG) file is modified to communicate with attacker-controlled infrastructure, including legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
In addition to being hosted on a Chinese website called Macyy, the unsigned app[.]cn, contains a dropper component named “dylib”, which will be executed every time the application is opened.
The implant then serves as a conduit to obtain the backdoor (“bd.log”) and downloader (“fl01.log”) from the remote server, which is used to set persistence on the infected computer and obtain additional payload.
The backdoor – written to the path “/tmp/.test” – is fully functional and built on an open source post-exploitation toolkit called Khepri. It is located in the “/tmp” directory, which means it will be deleted when the system is shut down.
This means that the next time the pirated application is loaded and the implant is executed, it will be created again in the same location.
The downloader, on the other hand, is written to the hidden path “/Users/Shared/.fseventsd”, then it creates a LaunchAgent to ensure persistence and delivers an HTTP GET request to a server controlled by the actor.
Although the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.
Jamf said the malware bears some similarities to ZuRu, which has been spread through pirated apps on Chinese websites in the past.
“Given its target application, modified load commands, and attacker infrastructure, this malware is likely a successor to the ZuRu malware,” the researchers said.
