The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan.
Attack details
The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain.
While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password.
The malware uses the 'AuthorizationExecuteWithPrivileges' method to execute a 'tool' executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be "app patching."
The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device.
Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.
This way, the hacker was able to conceal its activity in traffic and download the Python script payload disguised as TXT records from the DNS server, which seem like common requests.
Three TXT entries, each a base64-encoded portion of an AES-encrypted message containing the Python script, were included in the DNS server's response.
This first Python script served as a downloader for a second Python script that captures and sends information about the compromised system, including the CPU type, installed apps, directory listings, operating system version, and external IP address.
Kaspersky notes that during their analysis, the C2 provided upgraded copies of the backdoor script, indicating continuing development, but didn't see command execution, thus this might not have been deployed yet.
Additionally, two functions in the downloaded script search the compromised system for Bitcoin Core and Exodus wallets; if they are detected, they replace the original wallets with backdoored versions obtained from 'apple-analyzer[.]com.'
The code in the compromised wallets transmits to the attacker's C2 server the seed phrase, password, name, and balance.
Users usually do not get suspicious when their wallet app suddenly asks them to re-enter their wallet details, making them vulnerable to getting their wallets emptied.
As indicators of compromise, the cracked software used in this campaign is made public in the Kaspersky study. According to the researchers, these applications "are one of the easiest ways for malicious actors to get to users’ computers."
While using cracked programs to trick users into downloading malware is a popular attack vector, the campaign that Kaspersky examined demonstrates that threat actors are sufficiently crafty to devise novel ways of delivering the payload, such as concealing it in a DNS server's domain TXT record.