Hackers Using Pirated macOS Apps to Deploy Evasive Malware


Security researchers at Jamf Threat Labs team have recently uncovered a sneaky cryptomining operation aimed at macOS users. 

The attackers are using a fraudulent version of the popular video editing software, Final Cut Pro, which has been modified to include malicious code. 

What’s even more alarming is that this scheme has managed to fly under the radar of most antivirus programs, leaving unsuspecting users at risk of having their computer resources hijacked for the attackers’ profit.

An unauthorized modification was present in Final Cut Pro, which resulted in the execution of the XMRig coin miner. 

EHA

Evasive Malware Campaign

Jamf Threat Labs identified a specific threat targeting macOS and conducted an investigation that traced its origin to torrents containing malicious files shared on The Pirate Bay. The individual who shared these files used the username [wtfisthat34698409672].

While digging deeper into their online activities, it was revealed that they had been regularly uploading macOS apps since 2019, including popular ones like:-

  • Adobe Photoshop
  • Logic Pro X

Upon delving deeper into their investigation, the researchers made a fascinating discovery. The malware had gone through not one, not two, but three major developmental phases. 

With each new iteration, the malicious program had become more sophisticated and equipped with complex evasion techniques.

The first generation of this sneaky malware had already set the tone for its insidious nature. To ensure that its communication with its C2 went undetected, it employed an i2p network layer. 

This was no ordinary layer, it was a complex web of anonymity that left no digital footprint. The malware retains this feature even if you update to the latest version.

For a brief period between April and October of 2021, the second iteration of the malware made its presence known. In this gen, the malware had undergone significant changes to its codebase. 

One of the most notable additions was the use of base 64 encodings. This allowed for the executables to be hidden within the app bundle, making them virtually undetectable. It was like the malware had developed a secret code that only it and its creators knew.

In October 2021, the third generation was released, which is the current generation. Since May of 2022, it has become the only variant that is distributed in the wild and is the only variant in production.

This variant reportedly has the ability to disguise its malicious processes on Spotlight as system processes, thereby evading detection by making them appear as legit processes.

Apart from this, the latest version has a new trick up its sleeve, one that makes it even harder to detect. It’s a script that runs constantly in the background, keeping a watchful eye on the Activity Monitor. 

To keep its existence hidden from the inspections of the user, this malware immediately terminates all of its processes when it’s launched.

Apple’s Strategy with ‘Ventura’

Apple’s newest version of macOS, “Ventura” brings enhanced code-signing validation protocols. These protocols increase security measures and make it more difficult to execute malware that has been hidden within user-launched applications, particularly pirated versions.

The individuals responsible for the distribution of pirated versions of Final Cut Pro have utilized a unique approach. 

Instead of completely altering the software, they have made partial modifications while preserving the original code-signing certificate. This method allows them to maintain the appearance of authenticity, making it more difficult for users to detect any dissimilarities.

Apple has acknowledged the presence of this particular strain of malware and has taken steps to mitigate its impact on user systems. The company is actively developing targeted updates to its XProtect antivirus software to effectively identify and block malicious code.

Network Security Checklist – Download Free E-Book



Source link