Warning: macOS Backdoor Discovered in Pirated Versions of Popular Software

Security experts have issued a cautionary alert regarding pirated applications specifically targeting Apple macOS users, containing a concealed backdoor that can grant remote control to malicious actors. Researchers revealed that these nefarious applications are hosted on Chinese pirating websites, strategically targeting potential victims. Upon activation, the malware initiates the download and execution of multiple payloads in the background, discreetly compromising the victim’s machine.

The compromised disk image (DMG) files, modified to establish communication with actor-controlled infrastructure, include seemingly legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop. Despite being unsigned, these applications are readily available on a Chinese website named macyy[.]cn. Additionally, the pirated applications incorporate a dropper component known as “dylib,” which executes every time the application is launched.

The dylib dropper serves as a conduit, fetching a backdoor (“bd.log”) and a downloader (“fl01.log”) from a remote server. These components are utilized to establish persistence on the compromised machine and retrieve additional payloads. The backdoor, located at “/tmp/.test,” is fully-featured and built upon the open-source post-exploitation toolkit called Khepri. Its placement in the “/tmp” directory ensures its removal when the system shuts down, but it is recreated each time the pirated application is loaded, and the dropper is executed.

Conversely, the downloader is written to the concealed path “/Users/Shared/.fseventsd.” Subsequently, it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to a server controlled by the threat actor. While the server is currently inaccessible, the downloader is designed to write the HTTP response to a new file at /tmp/.fseventsds and then execute it.

The researcher emphasized that the identified malware exhibits similarities with ZuRu, previously observed spreading via pirated applications on Chinese websites. The researchers suggest that this newly discovered malware might be a successor to the ZuRu malware, given its targeted applications, modified load commands, and similarities in attacker infrastructure.

Preventing macOS backdoor malware involves avoiding pirated software and utilizing official app stores for downloads. Regularly update the operating system and applications, enable built-in security features, and use reputable antivirus software. Exercise caution when clicking on links or downloading attachments, and consider employing network-level security solutions to detect and block malicious activity.