Tuesday, July 16, 2024

Beware of Pirated MacOS Apps That Install Chinese Malware

Similar to ZuRu malware, a new malware has been found embedded in pirated macOS applications, which downloads and executes several payloads to compromise devices in the background. Specifically, these apps are hosted on Chinese pirate websites to entice more victims.

The malware specifically targets applications that are frequently downloaded illegally, including FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.

“Once detonated, the malware will download and execute multiple payloads in the background to secretly compromise the victim’s machine,” Jamf Threat Labs shared with Cyber Security News.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

The Execution Of Malicious Activity

Researchers discovered an executable file with the extension “.fseventsd” that imitates a legitimate macOS process. 

Nevertheless, additional research showed that this file was uploaded as a component of a larger disk image (DMG) file on Chinese piracy websites and was not signed by Apple.

Three pirated applications that had all been backdoored by the same malware have been detected after searching VirusTotal for comparable files. When these apps were looked for online, many of them were found to be hosted on macyy[.]cn, a Chinese website that offers links to a lot of applications that have been pirated. 

The report said two further DMGs were trojanized in the same fashion but had not yet been detected by VirusTotal.

Malicious behavior was carried out as a result of every pirated application. The activities are as follows:

  • Malicious dylib

A malicious library that the application loads and runs as a dropper each time the application is opened. In terms of macOS malware, this method of connecting with the system through a malicious dylib is regarded as fairly sophisticated. 

Unfortunately, the application signature is broken as a result. Because of this, the apps are being distributed online as unsigned applications, a fact that many people who download pirated applications probably don’t give thought to.

  • Backdoor

A binary that the malicious dylib downloaded and used the post-exploitation tool and Khepri open-source C2. 

Attackers can download and upload files, obtain system information, and even open a remote shell with the Khepri backdoor.

  • Persistent downloader

A binary downloaded by the malicious dylib that enables persistence and downloads subsequent payloads. With the ability to run any payload from the attacker’s server, the executable serves as a persistent downloader.

According to researchers, given its targeted applications, modified load commands, and attacker infrastructure, this malware could be a successor of the ZuRu. It was originally found in pirated applications such as iTerm, SecureCRT, Navicat Premium, and Microsoft Remote Desktop Client. 


It is critical to understand the risks that come with using software that has been pirated. It is recommended that users utilize macOS applications that identify and filter risks in addition to blocking access to websites known to host pirated software.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.


Latest articles

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles