In a recent development early in 2024, cybersecurity researchers have raised alarms about hidden backdoors in pirated software targeting Apple macOS users. These backdoors could potentially allow attackers to gain remote control over infected devices.
Researchers from Jamf Threat Labs, Ferdous Saljooki and Jaron Bradley, have highlighted this new threat, noting that the malicious applications are predominantly hosted on Chinese piracy websites. These sites aim to entrap users by offering pirated versions of widely-used software.
The researchers explain that once activated, the malware silently infiltrates the user’s computer, downloading and executing numerous payloads in the background, thereby compromising the device. The infected disk image (DMG) files include altered versions of legitimate software such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
Hosted on a Chinese website known as “macyy[.]cn,” these unsigned applications contain a dropper component, labeled “dylib,” that activates every time the application is launched. This dropper serves as a gateway for downloading a backdoor (“bd.log”) and a downloader (“fl01.log”) from a remote server, setting up persistence on the infected machine and retrieving additional payloads.
The backdoor, written to the path “/tmp/.test,” is a fully-functional tool built on the open-source post-exploitation framework Khepri. Being located in the “/tmp” directory means it gets deleted upon system shutdown, but it is recreated in the same location when the pirated application is reloaded and the dropper is executed again.
In contrast, the downloader is written to a hidden path “/Users/Shared/.fseventsd,” where it subsequently creates a LaunchAgent for persistence and initiates an HTTP GET request to a server controlled by the attackers. Although the server is currently inaccessible, the downloader is programmed to write the HTTP response to a new file at /tmp/.fseventsds and execute it.
Jamf’s report indicates that this malware bears several similarities to the previously observed ZuRu malware, which was also spread via pirated applications on Chinese sites. Considering the targeted applications, modified load commands, and attacker infrastructure, the researchers suggest that this malware might be a successor to ZuRu.
