Tuesday, November 12, 2024
HomeCyber Security NewsBeware of Pirated MacOS Apps That Install Chinese Malware

Beware of Pirated MacOS Apps That Install Chinese Malware

Published on

Malware protection

Similar to ZuRu malware, a new malware has been found embedded in pirated macOS applications, which downloads and executes several payloads to compromise devices in the background. Specifically, these apps are hosted on Chinese pirate websites to entice more victims.

The malware specifically targets applications that are frequently downloaded illegally, including FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.

“Once detonated, the malware will download and execute multiple payloads in the background to secretly compromise the victim’s machine,” Jamf Threat Labs shared with Cyber Security News.

- Advertisement - SIEM as a Service
Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

The Execution Of Malicious Activity

Researchers discovered an executable file with the extension “.fseventsd” that imitates a legitimate macOS process. 

Nevertheless, additional research showed that this file was uploaded as a component of a larger disk image (DMG) file on Chinese piracy websites and was not signed by Apple.

Three pirated applications that had all been backdoored by the same malware have been detected after searching VirusTotal for comparable files. When these apps were looked for online, many of them were found to be hosted on macyy[.]cn, a Chinese website that offers links to a lot of applications that have been pirated. 

The report said two further DMGs were trojanized in the same fashion but had not yet been detected by VirusTotal.

Malicious behavior was carried out as a result of every pirated application. The activities are as follows:

  • Malicious dylib

A malicious library that the application loads and runs as a dropper each time the application is opened. In terms of macOS malware, this method of connecting with the system through a malicious dylib is regarded as fairly sophisticated. 

Unfortunately, the application signature is broken as a result. Because of this, the apps are being distributed online as unsigned applications, a fact that many people who download pirated applications probably don’t give thought to.

  • Backdoor

A binary that the malicious dylib downloaded and used the post-exploitation tool and Khepri open-source C2. 

Attackers can download and upload files, obtain system information, and even open a remote shell with the Khepri backdoor.

  • Persistent downloader

A binary downloaded by the malicious dylib that enables persistence and downloads subsequent payloads. With the ability to run any payload from the attacker’s server, the executable serves as a persistent downloader.

According to researchers, given its targeted applications, modified load commands, and attacker infrastructure, this malware could be a successor of the ZuRu. It was originally found in pirated applications such as iTerm, SecureCRT, Navicat Premium, and Microsoft Remote Desktop Client. 

Recommendation

It is critical to understand the risks that come with using software that has been pirated. It is recommended that users utilize macOS applications that identify and filter risks in addition to blocking access to websites known to host pirated software.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...