Several cracked applications were recently observed distributed by unauthorized websites and loaded with a macOS trojan-proxy.
In a blog post Dec. 6, Kaspersky researchers said attackers use this malware to make money by building a proxy server network or to perform criminal acts. The activities include launching attacks on websites, companies and individuals, as well as buying guns, drugs and other illicit goods.
The researchers said unlike the original clean applications that are typically distributed as disk images, the infected versions came in the form of .PKG installers. These files are handled by the Installer dedicated utility in the macOS, and they can run scripts before and after actual installation. In the examples Kaspersky gathered, scripts were run only after the application was installed.
“Illegally distributed software historically has served as a way to sneak malware onto victims’ devices,” wrote the researchers. “Often, users are not willing to pay for software tools they need, so they go searching the Web for a ‘free lunch.’ They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.”
This malware, embedded within cracked versions of popular software, highlights an alarming trend in cyber threats targeting macOS systems, said Callie Guenther, senior manager, cyber threat research at Critical Start. Guenther said for macOS users, the primary implication is a significant compromise in security.
“Users unknowingly installing this trojan-proxy are inadvertently turning their devices into nodes for illicit activities,” said Guenther. “These activities can range from hacking and phishing to facilitating transactions for illegal goods. From a network perspective, the trojan's impact is also quite concerning. By converting infected devices into proxy servers, it effectively anonymizes the cybercriminals' activities. This approach enables them to route malicious or illegal traffic through these proxies, making detection and tracing exceedingly challenging."
Guenther also pointed out that the use of DNS over HTTPS (DoH) within the trojan to obscure its communication with command-and-control (C2) marks a significant advancement in malware stealth capabilities. Guenther said DoH makes the detection of malicious traffic more challenging, as it blends with regular HTTPS traffic, which necessitates more advanced network monitoring solutions capable of inspecting encrypted traffic for potential threats.
“The emergence of this macOS trojan-proxy underscores the evolving and increasingly sophisticated nature of cyber threats,” explained Guenther. “It highlights the need for continual adaptation and advancement in cybersecurity practices and threat intelligence methodologies to effectively combat these emerging challenges.”
Ken Dunham, director, cyber threat at Qualys, added that Mac users have long been targeted by botnet actors because of the Mac layer for users and Berkeley Software Distribution (BSD) codebase layer underneath, silently abused by malicious users that compromise an endpoint.
Dunham said Mac users felt invulnerable to attack for many years because of the large volume of attacks seen on Windows machines. While the attack surface of Windows has been clearly much larger, Dunham said all operating systems and software attack surfaces are under attack in 2023, where attackers leave no stone unturned.
“Malicious abuse of a network by a trojan-proxy may not be noticed for a long period of time, depending on the impact upon current resources and visibility by the affected user or organization,” said Dunham. “The longer an attacker has access to an organization, the higher the risk for that organization, based upon actions the bad actor may take while having access and control within that organization. Dunham said.
Dunham said Mac users are urged to practice best practices and stay aware of current tactics used to trick users into downloading what appear as legitimate installer packages. They should also only use reputable sites with installers that have been scanned for viruses and, ideally, checked against a checksum hash value to ensure the integrity and authenticity of the source and code prior to installation.
