A backdoor has been spotted in a pirated application targeting Apple macOS users that is capable of giving attackers remote control over infected machines.
“These applications are being hosted on Chinese pirate websites to gain victims,” said Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley.
“Once detonated, the malware will download and execute multiple payloads in the background to secretly compromise the victim’s machine.”
Backdoor disk image (DMG) files, which have been modified to establish communication with actor-controlled infrastructure, include legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
The unsigned applications, in addition to being hosted on a Chinese website called macyy[.]cn, include a dropper component called “dylib” that is executed every time the application is opened.
The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.
The backdoor – written to the path “/tmp/.test” – is fully featured and built on top of an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means that it will be deleted when the system is shut down.
As said, it will be recreated in the same location the next time the pirated application is loaded and the dropper is executed.
The downloader, on the other hand, is written to the hidden path “/Users/Shared/.fseventsd”, after which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.
While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.
Jamf said the malware has many similarities with ZuRu, which has previously been seen spreading through pirated applications on Chinese sites.
“It is possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands, and attack infrastructure,” the researchers said.
