Beware of Pirated MacOS Apps That Install Chinese Malware

Similar to ZuRu malware, a new malware has been found embedded in pirated macOS applications, which downloads and executes several payloads to compromise devices in the background. Specifically, these apps are hosted on Chinese pirate websites to entice more victims.

The malware specifically targets applications that are frequently downloaded illegally, including FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.

“Once detonated, the malware will download and execute multiple payloads in the background to secretly compromise the victim’s machine,” Jamf Threat Labs shared with Cyber Security News.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Register for Free

The Execution Of Malicious Activity

Researchers discovered an executable file with the extension “.fseventsd” that imitates a legitimate macOS process. 

Nevertheless, additional research showed that this file was uploaded as a component of a larger disk image (DMG) file on Chinese piracy websites and was not signed by Apple.

Three pirated applications that had all been backdoored by the same malware have been detected after searching VirusTotal for comparable files. When these apps were looked for online, many of them were found to be hosted on macyy[.]cn, a Chinese website that offers links to a lot of applications that have been pirated. 

The report said two further DMGs were trojanized in the same fashion but had not yet been detected by VirusTotal.

Malicious behavior was carried out as a result of every pirated application. The activities are as follows:

• Malicious dylib

A malicious library that the application loads and runs as a dropper each time the application is opened. In terms of macOS malware, this method of connecting with the system through a malicious dylib is regarded as fairly sophisticated. 

Unfortunately, the application signature is broken as a result. Because of this, the apps are being distributed online as unsigned applications, a fact that many people who download pirated applications probably don’t give thought to.

• Backdoor

A binary that the malicious dylib downloaded and used the post-exploitation tool and Khepri open-source C2. 

Attackers can download and upload files, obtain system information, and even open a remote shell with the Khepri backdoor.

• Persistent downloader

A binary downloaded by the malicious dylib that enables persistence and downloads subsequent payloads. With the ability to run any payload from the attacker’s server, the executable serves as a persistent downloader.

According to researchers, given its targeted applications, modified load commands, and attacker infrastructure, this malware could be a successor of the ZuRu. It was originally found in pirated applications such as iTerm, SecureCRT, Navicat Premium, and Microsoft Remote Desktop Client. 

Recommendation

It is critical to understand the risks that come with using software that has been pirated. It is recommended that users utilize macOS applications that identify and filter risks in addition to blocking access to websites known to host pirated software.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.