The cracked software was observed infecting Apple macOS users with a previously undocumented stealer malware capable of collecting system information and cryptocurrency wallet data.
Kaspersky discovered the artifacts in the wild and said they were designed to target machines running macOS Ventura 13.6 and later, suggesting the malware is capable of infecting Macs powered by Intel and Apple silicon processor architectures.
The attack chain utilizes booby-trapped disk image (DMG) files, which include a program called “Activator” and pirated versions of legitimate software such as xScope.
It is recommended that the user who ultimately opens the DMG file moves both files to the Applications folder and executes the Activator element to apply the supposed patch and execute the xScope application.
However, launching the Activator displays a prompt asking the victim to enter the system administrator password, allowing the victim to execute the Mach-O binary with elevated privileges to launch the modified xScope executable.
Security researcher Sergey Puzan said: “The trick is that the malicious actor takes a pre-cracked version of the application and adds a few bytes to the beginning of the executable file, thereby disabling it and Causes the user to launch the Activator.”
The next stage requires establishing contact with the command and control (C2) server to obtain the encrypted script. The C2 URL is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as the third-level domain name.
A DNS request for the domain is then sent to retrieve three DNS TXT records, each containing a Base64-encoded ciphertext fragment, which is decrypted and assembled to construct a Python script, which in turn reaches out via to establish persistence and act as a downloader to Apple Health[.]org” downloads and executes the main load every 30 seconds.
“It’s a pretty interesting and unusual way to contact a command and control server and hide the activity in the traffic, and it guarantees that the payload is downloaded because the response message comes from the DNS server,” Puzan explained, adding It’s described cleverly as “serious”. “
The backdoor is actively maintained and updated by threat actors and is designed to run incoming commands, collect system metadata, and check for the presence of Exodus and Bitcoin Core wallets on the compromised host.
If found, the application will be replaced by a Trojan version downloaded from the “apple-analyst” domain[.]com”, which can leak seed phrases, wallet unlock passwords, names and balances to attacker-controlled servers.
“The final payload is a backdoor that can run any script with administrator rights and replace the Bitcoin Core and Exodus crypto wallet applications installed on the computer with infected versions that steal the secret recovery phrase when the wallet is unlocked,” “Puzan said.
This development comes as cracked software is increasingly becoming a conduit for harming macOS users with a variety of malware, including Trojan-Proxy and ZuRu.
