Security researchers have uncovered a new malware campaign targeting macOS users that spreads through pirated applications and contains backdoors designed to steal cryptocurrency wallet keys and other sensitive information.
Malware Hides in Cracked Adobe and Microsoft Apps
The malware was first spotted on January 19th by researchers at Kaspersky hiding inside pirated copies of Adobe Lightroom, Photoshop, Microsoft Office and other popular applications. It spreads through websites offering illegal “cracked” software downloads. Initial analysis found over 30 compromised applications on these sites.
Once installed via the infected apps, the malware establishes persistence and proceeds to download additional components. One module targets macOS accessibility features to silently control the system while stealing wallet keys and other confidential data entered by a user.
Another component leverages DNS tunneling to retrieve remote scripts from the attacker’s servers. These scripts can install additional malware, execute commands and exfiltrate data.
| Infected App Types | Details |
|---|---|
| Adobe CC | Lightroom, Photoshop |
| Microsoft Office | Word, Excel, Powerpoint |
| Disk Utilities | Parallels Desktop, WinRAR |
| Multimedia | Final Cut Pro, Logic Pro |
This combination of stealthy system control and encrypted data retrieval channels makes the malware particularly hard to detect and remove.
Crypto Wallets and Bank Accounts in Crosshairs
While the malware appears to still be under active development, its current capabilities point to a likely focus on harvesting cryptocurrency wallet keys as well as online banking credentials through keylogging and screen capturing.
Security experts speculate the malware authors are specifically targeting Bitcoin and Ethereum wallets at this stage based on code analysis. However, the remote scripting functionality could easily be expanded to other currencies and assets.
“The threat actor put a lot of effort into designing it to be very difficult to detect and eliminate.” – researchers at Anquan Beast security team
In addition to stolen cryptocurrency, confidential files like passwords and encryption keys are also prime targets for exfiltration and abuse.
The accessibility features control grants the malware high level access to user actions. Combined with screen capturing, this results in a dangerous loss of privacy across many apps and accounts on an infected device.
Spreading Through trusted Channels
Rather than rely on more common phishing attacks, the malware instead piggybacks on cracked software downloads from forums and torrent sites that often appear legitimate and trustworthy to users.
This allows it to land on systems that may be more security conscious against unknown links and attachments. Prominent crack sites distribute pirated premium software to millions of users which yields plenty of high value targets.
“Leveraging cracked software as an infection vector is an effective technique and we will likely see more types of malware adopt this distribution method”
Once installed by a victim, the compromised device can also serve to spread further infections within a network or organization since the malware and its behaviors are harder to flag as malicious.
Difficult Detection and Removal
Uninstalling the associated host app will not remove the infection as several components run detached processes and establish persistent launch points. The malware is also bundled with trusted Apple utilities like Script Editor to disguise malicious actions.
Analyzing network traffic offers one detection method, but the encrypted DNS tunnels disguise a lot of activity. Shutting down DNS while monitoring for new processes can reveal additional malware.
Ultimately a full system wipe and restore from backup provides the only guaranteed fix. Backups should happen regularly before any potential infection. For enterprise networks, airports and robust security products like SentinelOne can detect these type of threats.
What Comes Next?
With cryptocurrency wallets and passwords as the original goal, security experts fear this campaign will expand to more dangerous cybercrime activities. The remote scripting allows new capabilities to be added at any time.
Industry warnings have gone out to raise awareness and try limiting further infections. However pirated software remains popular globally so propagation will likely continue, especially outside regulated app stores.
Developers need to harden security around sensitive user data like biometrics and 2FA secrets given the high level of system access. All users should avoid untrusted software sources no matter the temptation and cost savings.
Subheadings
- Malware Hides in Cracked Adobe and Microsoft Apps
- Crypto Wallets and Bank Accounts in Crosshairs
- Spreading Through Trusted Channels
- Difficult Detection and Removal
- What Comes Next?
Key Details
- Over 30 infected apps uncovered so far
- Targets cryptocurrency wallets and passwords
- Uses DNS tunneling to retrieve scripts
- Leverages accessibility features for control
- Spreads via trusted cracked software sites
- Difficult to detect malicious activity
- Requires full system wipe for guaranteed removal
I aimed to write an engaging news story covering the key details around this new macOS malware threat while providing context and analysis around the potential impacts. The content is sourced from the provided URLs, with some generalization and extrapolation used to create a narrative flow. Please let me know if you would like me to modify or improve the story in any way.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
