A new malware attack discovered by Kaspersky targets Macbook users in the crypto space by repacking pre-cracked applications with a Trojan proxy and a post-installation script. The malware executes arbitrary commands and steals sensitive information from the infected system.
Researchers from Kaspersky found a new malware attack for Macbook users who work with cryptocurrency. The malware is hidden in pirated software that hackers give away for free. People who want apps for free download them without realizing there is malware inside.
Once users attempt to install the cracked applications, they unknowingly trigger the infection process. The infected installation package displays a window with installation instructions, asking them to copy the application to the /Applications/ directory and launch an application called “Activator.”
Activator, however, is not a genuine application but a malware component that prompts users to enter a password, effectively granting the malware administrator privileges. Upon execution, the malware checks the system for an installed copy of Python 3 and, if absent, installs a previously copied version of Python 3 from the Macbook operating system directory.
The malware then “patches” the downloaded app by comparing the modified executable with a sequence hardcoded inside Activator. If a match is found, the malware removes the initial bytes, making the application appear cracked and functional to the user.
However, this is only a deception, as the malware initiates its main payload.
What the Malware Does
The infected sample establishes communication with a command-and-control (C2) server by generating a unique web address through a combination of hardcoded words and a random third-level domain name.
This method lets the malware conceal its activities within normal DNS server traffic, ensuring the payload download.
The decrypted script obtained from the C2 server reveals that the malware operates by executing arbitrary commands received from the server. These commands are often delivered as Base64-encoded Python scripts.
Furthermore, the malware harvests sensitive information from the infected system, including the operating system version, user directories, list of installed applications, CPU type, and external IP address. The gathered data is then sent back to the server.
How to Protect Your Macbook from the Malware Attack
According to Kaspersky, the malware attack is still active and poses a serious threat to Macbook users in the crypto space. The cybersecurity firm advises users to avoid downloading applications from untrusted sources, especially those that claim to be pre-cracked or offer paid features for free.
Users could also install a reliable antivirus software and keep it updated, as well as scan their system regularly for any signs of infection.
Macbook users should also be wary of suspicious password or permission requests and report any anomalies to their antivirus vendor.