Pirated applications targeting Apple macOS users have recently been identified, presenting a grave threat by embedding a backdoor that grants attackers remote control over compromised machines. Researchers from Jamf Threat Labs, namely Ferdous Saljooki and Jaron Bradley, disclosed that these malicious applications are hosted on Chinese pirating websites, specifically the site macyy[.]cn, as part of a strategy to ensnare victims. Upon activation, the malware proceeds to download and execute multiple payloads in the background, surreptitiously compromising the victim’s machine. Notably, these backdoored disk image (DMG) files incorporate well-known software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
The unsigned applications from these pirated sources include a dropper component called “dylib,” which executes each time the application is opened. This dropper serves as a conduit to fetch a backdoor (“bd.log”) and a downloader (“fl01.log”) from a remote server. The backdoor, residing in the “/tmp/.test” path, is fully-featured and utilizes the open-source post-exploitation toolkit Khepri. Although located in the temporary directory (“/tmp”), the backdoor persists by being recreated each time the pirated application is loaded. Simultaneously, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” ensuring persistence by creating a LaunchAgent and sending an HTTP GET request to an actor-controlled server.
Despite the server’s current inaccessibility, the downloader continues to write the HTTP response to a new file at “/tmp/.fseventsds” and launches it. The researchers at Jamf highlight the malware’s resemblance to ZuRu, a previously observed threat spreading through pirated applications on Chinese sites. This similarity suggests a possible lineage, indicating that the recently discovered malware may be a successor to the ZuRu malware, evident in its targeted applications, modified load commands, and shared attacker infrastructure. The overarching concern revolves around the stealthy compromise of macOS systems through the distribution of these sophisticated and disguised pirated applications.