The latest research conducted by Kaspersky’s research team has revealed a unique type of malicious software for MacOS systems.
Previously unidentified, this family of malware is discreetly distributed through pirated applications, targeting users’ digital cryptocurrency wallets on macOS. Unlike previously discovered proxy trojans, this new threat focuses on compromising them.
This digital trojan is unique in two ways. Firstly, it uses DNS records to deliver an infected Python script. Secondly, it not only steals cryptocurrency wallets but replaces the wallet application with its own infected version. This allows it to steal the secret phrase used to access the cryptocurrencies stored in the wallets.
The malware mainly targets macOS users running versions 13.6 and newer, indicating a focus on users of newer operating systems, both on devices with Intel processors and Apple Silicon. Compromised disks contain an “activator” and the desired application. The seemingly harmless activator triggers the infected application after the user enters their password.
Attackers exploit previously infected versions of applications by modifying executable files to render them non-functional until the activator is run by the user. This tactic leads the user to unwittingly activate the infected application.
Once the patching process is completed, the malicious software carries out its primary function by downloading DNS TXT records from a malicious domain and decrypting the Python script. This script runs indefinitely, attempting to fetch the next stage of the infection chain, which is also a Python script.
The next link in the infection chain aims to execute arbitrary commands received from the server. No commands were received during the investigation, and the backdoor was regularly updated, suggesting an ongoing campaign associated with this malware. The code suggests that the encoded Python scripts likely contain commands.
In addition to the mentioned functionalities, the script contains two significant features related to the domain apple-analyzer[.]com. Both functions aim to check for the presence of cryptocurrency wallet applications and replace them with versions downloaded from the specified domain. This tactic was observed against Bitcoin and Exodus wallets, turning those applications into malicious entities.
“Malware for macOS associated with pirated software highlights serious threats. Cybercriminals use pirated applications to easily gain access to users’ computers and obtain administrator rights by prompting them to provide their passwords. The creators demonstrate exceptional creativity by hiding the Python script in a DNS server record, elevating the level of stealthiness of this malware in network traffic. Users should exercise caution, especially with cryptocurrency wallets. Avoid downloading from suspicious sources and utilize trusted cybersecurity solutions to enhance security,” says Sergey Puzan, a security researcher at Kaspersky.
Key Questions about macOS Malware:
1. What is the purpose of this malware infection?
The malware is distributed through pirated applications and aims to steal users’ digital cryptocurrency wallets on macOS.
2. How does this malware infect computers?
The malware uses DNS records to deliver an infected Python script. It then replaces the cryptocurrency wallet application with its own infected version to steal access credentials.
3. Which operating systems are targeted by the malware?
The malware primarily targets macOS users running versions 13.6 and newer, on both Intel and Apple Silicon devices.
4. How does the infection through pirated applications work?
The malware modifies executable files of previously infected applications to make them non-functional. Then, the user unwittingly activates the infected application by entering the activation password.
5. What are the main functions of the malware?
The malware retrieves DNS records from a malicious domain and executes a Python script that attempts to fetch the next stage of infection. It then receives arbitrary commands from the server, which it can execute on the infected device.
6. Which cryptocurrency wallets are at risk?
The malware utilizes functions related to the apple-analyzer[.]com domain to check for the presence of cryptocurrency wallet applications and replace them with malicious versions. The observed script encryption was targeted against Bitcoin and Exodus wallets.
7. What precautions should be taken?
Users should exercise caution when using pirated applications and downloading from suspicious sources. It is recommended to utilize trusted cybersecurity solutions to enhance security.
Related Links:
– Kaspersky (homepage)
– Cybersecurity services
The source of the article is from the blog yanoticias.es