Kaspersky Lab has recently identified and analyzed a highly sophisticated cyberattack targeting macOS users through the use of cracked applications and DNS records. This malicious effort involves the distribution of malware that masquerades as legitimate DNS traffic, downloading Python scripts that act as backdoors into the user's system.
Infection Chain and Methodology
Investigations show that the campaign is primarily focused on users of macOS Ventura and beyond. The attack commences when an individual downloads a repackaged cracked application in PKG format, which unbeknownst to them, contains a trojan. As the victim proceeds to install the malware, they are deceived into granting administrative privileges via a counterfeit activator window prompting for an administrator password.
Once permission is given, the malware employs a technique called ‘AuthorizationExecuteWithPrivileges' to run its ‘tool' executable. It then verifies the presence of Python 3, installing it if needed. This creates the illusion of a typical application patching process.
The malware subsequently contacts a control server, under the guise of “apple-health[.]org,” to retrieve a base64-encoded Python script capable of executing arbitrary commands. Researchers noted an innovative method used by the attackers to generate the contact URL. They concatenate words from two hardcoded lists with a random letter sequence, crafting a unique subdomain each time.
Kaspersky experts remarked that the requests to the DNS server appear typical, but in fact, they seek to retrieve TXT records containing the malicious payload. The DNS server's response includes three TXT record fragments, each encoded in base64 and encrypting the message with AES, which cumulatively form the Python script.
Implications and Risks for Users
The initial script functions as a downloader for another script that establishes backdoor access, amasses intelligence on the infected system, and transmits data such as OS version, applications, CPU type, and external IP address. Furthermore, the ‘tool' executable modifies system files to ensure the malicious script remains active even after a system reboot.
Kaspersky's evaluation noted that the attackers continually upgrade the backdoor script, highlighting ongoing development, although no active command execution was observed during this period. Additionally, the malware scans for Bitcoin Core and Exodus wallets, replacing any found with tampered versions, which leak critical information to the attackers.
Users are particularly vulnerable if they re-enter their wallet credentials when unexpectedly prompted by the app, potentially leading to financial losses. Kaspersky's team has emphasized that the use of cracked applications is a common, yet highly effective tactic employed by attackers to compromise user systems. The ingeniously disguised delivery mechanism using domain TXT records further exemplifies the evolving sophistication of these malicious campaigns.