Cybercriminals are targeting Mac users with a new proxy trojan malware arranged with popular, copyrighted macOS software actuality offered on warez sites.
Proxy trojan malware infects computers, axis them into traffic-forwarding terminals acclimated to anonymize awful or actionable activities such as hacking, phishing, and affairs for adulterous goods.
Selling acceptance to proxies is a lucrative business that has accustomed bearing to massive botnets, with Mac devices not actuality spared by this boundless activity.
The latest attack blame proxy malware was apparent by Kaspersky, which letters the ancient acquiescence of the burden on VirusTotal dates to April 28, 2023.
Bundled with accepted warez
The attack takes advantage of people's alertness to accident their computer's aegis to abstain advantageous for exceptional apps.
Kaspersky begin 35 angel editing, video compression and editing, abstracts recovery, and arrangement scanning accoutrement abstemious with the proxy trojan to allurement users attractive for chargeless versions of bartering software.
The best accepted of the trojanized software in this attack are:
- 4K Video Donwloader Pro
- Aissessoft Mac Data Recovery
- Aiseesoft Mac Video Converter Ultimate
- AnyMP4 Android Data Recovery for Mac
- Downie 4
- FonePaw Data Recovery
- Wondershare UniConverter 13
- SQLPro Studio
- Artstudio Pro
Kaspersky says that clashing the accepted software, which are broadcast as deejay images, the trojanized versions are downloaded as PKG files.
Compared to deejay angel files, which are the accepted accession average for these programs, PKG files are far riskier as they can assassinate scripts during the accession of the app.
Because installer files are accomplished with agent rights, any scripts they assassinate accretion the aforementioned permissions back assuming alarming actions, including book modification, book autorun, and command execution.
In this case, the anchored scripts are activated afterwards the program's accession to assassinate the trojan, a WindowServer file, and accomplish it appear as a arrangement process.
WindowServer is a accepted arrangement action in macOS amenable for managing the clear user interface, so the trojan aims to alloy with accepted arrangement operations and baffle user scrutiny.
The book tasked with ablution WindowServer aloft OS startup is called "GoogleHelperUpdater.plist," artful a Google agreement file, again, aiming to be disregarded by the user.
Upon launch, the trojan connects to its C2 (command and control) server via DNS-over-HTTPS (DoH) to accept commands apropos to its operation.
Kaspersky couldn't beam these commands in action, but through analysis, deduced that the applicant supports creating TCP or UDP access to facilitate proxying.
In accession to the macOS attack application PKGs, the aforementioned C2 basement hosts proxy trojan payloads for Android and Windows architectures, so the aforementioned operators acceptable ambition a advanced ambit of systems.