Jamf Threat Labs researchers warned against pirate applications distributing a backdoor to macOS users. The researchers noticed the apps appeared similar to ZuRu malware and allowed attackers to download and execute multiple payloads to compromise machines.

First discovered

According to researchers, the pirated applications are hosted on Chinese pirating websites.
  • They first came across the threat after they detected a notable executable named ‘.fseventsd.’ 
  • The executable, which came laced within a DMG file, used the name of an actual process built into the operating system that prevented the Apple systems from flagging it as a suspicious file. 
  • Upon further investigation, the researchers discovered two more trojanized DMG files containing many pirated applications and backdoored the same malware. 
  • These applications looked similar to legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
 

More in detail

Each pirated application came with three components: 
  • Malicious dylib: It acts as a dropper, whenever the application is opened.
  • Backdoor: A binary executable downloaded by the malicious dylib that uses the Khepri open-source C2 and post-exploitation tool.
  • Persistent downloader: Another binary downloaded by the Malicious dylib that sets up persistence and downloads additional payloads. 

Similarities with ZuRu malware 

Researchers claim that the malware is a successor to the ZuRu malware given its targeted application, modified load commands, and attacker infrastructure. 
Active since 2021, the ZuRu malware was used to primarily target users in China. It was found in pirated applications iTerm, SecureCRT, and Microsoft Remote Desktop Client. 

Conclusion

The news comes a couple of days after the discovery of the SpectraBlur backdoor, a macOS malware that came with the capabilities to execute shell code and communicate with the C2 server using RC4-encrypted sockets. The emergence of the new macOS malware underlines the importance of increasing awareness among employees and organizations.
Cyware Publisher

Publisher

Cyware