Unarchiver (Trojan) – Malware

Overview

The Unarchiver malware represents a sophisticated and deceptive cyber threat targeting macOS users by impersonating a popular file extraction application. Known for its legitimacy and widespread use, The Unarchiver is a trusted tool for handling various compressed file formats such as RAR and ZIP. However, cybercriminals have leveraged this trusted name to craft a malicious version of the software, luring unsuspecting users into downloading a fake installer from a look-alike website. This malware campaign highlights the growing prevalence of social engineering attacks, where attackers exploit familiar applications to gain the trust of potential victims.

The malicious version of The Unarchiver, distributed through a fraudulent website mimicking the official site, delivers a payload designed to harvest sensitive user data. When a user downloads the installer, which appears to be an innocuous .dmg file, they unwittingly execute a series of malicious actions. The malware operates under the guise of a legitimate application, bypassing traditional security detection mechanisms, including antivirus tools and file integrity checks. The use of a fake code-signing certificate further complicates detection, making it appear as if the file were safe, despite its malicious intent.

Targets

Individuals

How they operate

The initial phase of the attack often begins with social engineering tactics, such as phishing emails or fake download links, which are intended to convince users to download what they believe to be the legitimate Unarchiver application. Once a victim downloads the compromised file—often disguised as a .dmg (disk image) file for macOS—the malware is executed upon opening. The malware might attempt to mimic the appearance of a normal installation process to avoid raising suspicion. However, behind the scenes, the compromised installer runs code that deploys the malicious payload, typically in the form of an application bundle or executable file hidden within the disk image.

Once executed, the malware proceeds to the persistence phase, where it ensures that the malicious payload remains active even after the system is rebooted. One common technique used by Unarchiver malware is to create new entries in the system’s startup processes. This may involve adding the malicious application to macOS’s LaunchAgents or LaunchDaemons directories, which ensure that the malware executes automatically each time the user logs into the system. Additionally, the malware might attempt to inject its code into legitimate system processes or create new processes that operate in the background, often disguising its activities to evade detection by security software.

As the malware gains a foothold, it may attempt to escalate its privileges using known exploits. By exploiting vulnerabilities in macOS, such as flaws in system-level applications or configuration files, the malware can gain higher levels of access, potentially bypassing security restrictions. Privilege escalation allows the malware to perform more critical tasks, including stealing sensitive data, altering system files, or installing further malicious payloads. Depending on the sophistication of the malware, it may attempt to disable security measures like antivirus software or firewalls to avoid detection.

Furthermore, Unarchiver malware is capable of data exfiltration, which is a key objective in many malware operations. Once it has full access to the system, it may silently collect user data, including sensitive files, credentials, or other personal information. This information is then transmitted back to a remote Command and Control (C2) server controlled by the attackers. The exfiltration typically occurs over an encrypted channel to avoid detection by network security systems. This stage is crucial for attackers to harvest valuable data, whether it be for identity theft, financial fraud, or corporate espionage.

To avoid detection and removal by security tools, Unarchiver malware may use various defense evasion techniques. One common approach is file obfuscation, where the malware’s payload is encrypted or disguised within innocuous-looking files, making it harder for antivirus software to detect. In some cases, the malware may leverage legitimate software to run its malicious actions under the guise of trusted processes. These evasion techniques are critical to the malware’s survival, allowing it to remain on the system for extended periods without being flagged by traditional security measures.

In conclusion, the technical operation of Unarchiver malware represents a multi-faceted attack strategy designed to infiltrate macOS systems, maintain a presence, escalate privileges, and exfiltrate sensitive data. The use of social engineering to trick users into downloading the malware, combined with sophisticated persistence and evasion tactics, makes Unarchiver a formidable threat. Understanding its operation is essential for defending against such attacks, underscoring the importance of maintaining updated security software, exercising caution with downloaded files, and monitoring systems for any unusual behavior.

MITRE Tactics and Techniques

Initial Access (TA0001):

Phishing (T1566): The Unarchiver malware often relies on deceptive techniques, such as fake websites or phishing emails, to trick users into downloading a compromised version of the software. These methods align with the Phishing tactic, where the attacker convinces the victim to download and run the malicious file.

Drive-by Compromise (T1189): If the attacker leverages a compromised website or a fake site mimicking the legitimate Unarchiver website, it could also be considered a form of drive-by download, where malware is automatically downloaded when the user visits the site.

Execution (TA0002):

Malicious File (T1203): The malware executes once the user opens the compromised installer (such as a fake .dmg file on macOS). This tactic involves executing malicious files that mimic legitimate software.

Command and Scripting Interpreter (T1059): The malware might use scripts or shell commands to run its malicious activities after the initial installation.

Persistence (TA0003):

Boot or Logon Autostart Execution (T1547): The malware may attempt to establish persistence by adding itself to startup locations or creating new system services that automatically execute when the user logs in.

Create or Modify System Process (T1543): This tactic could be used to install or modify system-level processes, ensuring that the malware survives a reboot or attempts to remove it.

Privilege Escalation (TA0004):

Exploitation for Privilege Escalation (T1068): If the malware gains sufficient access, it may exploit system vulnerabilities to elevate its privileges and perform more extensive malicious actions on the compromised system.

Credential Access (TA0006):

Input Capture (T1056): The malware may use keylogging or other methods to capture sensitive data like passwords, banking information, or login credentials from the infected system.

Credential Dumping (T1003): If the malware escalates its privileges, it may attempt to dump system or application credentials to further infiltrate the network or compromise other systems.

Exfiltration (TA0010):

Exfiltration Over Command and Control Channel (T1041): The malware may send the stolen data back to an attacker-controlled server over its command-and-control (C2) channel.

Defense Evasion (TA0005):

Obfuscated Files or Information (T1027): To avoid detection, the malware may obfuscate its files, processes, or communications, making it harder for security tools to identify and block it.

Signed Binary Proxy Execution (T1218): The malware might use a trusted application or a signed certificate to execute its malicious payload, evading detection by appearing legitimate.

Disabling Security Tools (T1089): In some cases, the malware may attempt to disable or interfere with security software to avoid detection and removal.

References:

• MacOS Malware Impersonates The Unarchiver App to Steal User Data