A sophisticated new Mac malware campaign has emerged, targeting users through a deceptive PDF conversion website that conceals a dangerous two-stage payload.
The malware, dubbed “JSCoreRunner,” represents a significant evolution in macOS threats, demonstrating how cybercriminals are adapting their techniques to bypass Apple’s security measures while maintaining zero detection rates on major security platforms.
The threat operates through fileripple[.]com, a fraudulent website that masquerades as a legitimate PDF conversion service.
Users visiting the site are prompted to download what appears to be a helpful utility called “FileRipple.pkg,” which creates the illusion of a genuine PDF tool by launching a fake webview interface.
This sophisticated deception allows the malware to execute its malicious activities silently while users believe they are interacting with a legitimate application.
9to5Mac analysts identified this campaign as particularly concerning due to its zero-day status at the time of discovery.
The malware had achieved complete evasion across all security vendors on VirusTotal, highlighting the advanced nature of this threat and the challenges facing traditional detection methods.
The malware’s primary objective centers on browser hijacking, specifically targeting Google Chrome installations on infected systems.
JSCoreRunner systematically traverses the ~/Library/Application Support/Google/Chrome/ directory to locate both default and additional user profiles, then manipulates search engine configurations through TemplateURL object modifications.
Two-Stage Infection Mechanism
The JSCoreRunner campaign employs a carefully orchestrated two-stage deployment strategy designed to circumvent macOS security controls.
The initial stage involves a signed package that was deliberately crafted to appear legitimate, though Apple subsequently revoked the developer’s signature.
This revocation triggers macOS Gatekeeper to block the first-stage package, creating a false sense of security for users who might assume the threat has been neutralized.
However, the second stage, “Safari14.1.2MojaveAuto.pkg,” operates as an unsigned payload that downloads directly from the same compromised domain.
This unsigned nature allows it to bypass Gatekeeper’s default blocking mechanisms, as macOS typically focuses signature validation on initially downloaded packages rather than subsequently fetched components.
Upon successful installation, the malware establishes persistence by modifying Chrome’s search engine settings, redirecting users to fraudulent search engines while hiding crash logs and session restoration prompts to maintain stealth operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
