Malware is being targeted at Mac users who receive pirated versions of popular apps from warez websites after they choose to download them from those websites. Various reports state that cybercriminals are infecting macOS devices with proxy trojans and turning them into terminals to spread the malware and run phishing and hacking campaigns on them.
It has been reported recently that an ongoing campaign called the Kaspersky Campaign was discovered earlier in the year in April. According to the report, the campaign sells proxy access that turns into botnets such as Qakbot, which was recently dismantled by the Federal Bureau of Investigation and removed from around 7,00,000 machines.
According to Kaspersky's report, this campaign is targeting users who are not willing to pay for premium versions of apps or who are unwilling to upgrade their current apps. The cybersecurity firm's research found that the virus was injected into pirated versions of 35 popular apps that edit images, compress videos, edit videos, recover lost data, scan networks, and recover passwords.
The latest attack is targeting Mac users by spreading a new proxy trojan malware through the distribution of popular copyrighted macOS software that can be found on warez websites, enabling them to exploit Mac users. When a computer is infected with this malware, it is transformed into an automatic traffic-forwarding terminal, which is used to facilitate malicious or illegal activities, such as phishing and hacking.
Cybercriminals exploit the allure of being able to get premium applications without paying by exploiting the allure of obtaining premium applications. In the recent campaign, which was uncovered by Kaspersky, 35 popular software applications include image editors, video compressors and editors, data recovery programs, and network scanning tools that are known to contain the proxy trojan, which is a type of malware.
This trojanized version of the software is downloaded as a PKG file, which poses an even higher risk than the normal disk image file, which can be used to install the software on your computer.
As part of the installation process, PKG files can run scripts, giving them the same rights as administrators. It opens up a whole new level of risk by granting them permission to perform dangerous actions like the modification of files, the execution of commands, and more.
After the trojan has been installed, it activates embedded scripts which conceal it as a system process named “WindowServer,” so that it blends into normal system operation. Additionally, in an attempt to evade detection, the GoogleHelperUpdater.plist file used by the trojan can be found in the virus.
There is no confirmation of a specific command or command sequence that the trojan can execute. Still, analysis indicates that it is capable of creating TCP or UDP connections on its own to facilitate proxying, to communicate with a command and control server using DNS-over-HTTPS.
The same C2 hardware that hosts the macOS proxy trojan payloads, as well as similar payloads for Android and Windows systems, also indicates that these cybercriminals are targeting a wide range of devices with their payloads, indicating that they are targeting a variety of devices.
By using the name "WindowServer", the trojan hides itself by resembling a legitimate system process used by macOS to manage user interfaces in the operating system. This trojan is triggered by a file called GoogleHelperUpdater.plist, another legitimate-sounding Chrome file that makes it harder for the trojan to be detected.
Kaspersky’s study suggests that the trojan is affecting both macOS and Android devices. The study suggests that although Kaspersky’s researchers could not see what commands the malware is executing, the malware appears to be using TCP and UDP networking protocols to act as a proxy for other applications.
Kaspersky researchers believe that the threat actor behind this particular campaign has specific reasons to believe that it is targeting other operating systems, just with a different installer, in addition to macOS users.