Kaspersky researchers have unearthed an unconventional strain of macOS malware. This previously unknown family of malicious software, distributed discreetly through pirated applications, targets macOS users’ cryptocurrency, which is stored in digital wallets. In contrast to proxy trojans previously found by Kaspersky, this new threat focuses on compromising them.
This crypto Trojan is unique in two ways: first, it uses DNS records to deliver its malicious Python script. Secondly, it doesn’t just steal crypto wallets; it replaces a wallet application with its own infected version. This allows it to steal the secret phrase used to access the cryptocurrency stored in the wallets.
The malware targets macOS versions 13.6 and above, indicating a focus on users of newer operating systems, both on Intel and Apple Silicon devices. Compromised disk images contain an “activator” and the sought-after application. The activator, seemingly benign at first glance, activates the compromised application after entering the user’s password.
The attackers utilize pre-compromised versions of the application, manipulating the executable files to make them non-functional until the user runs the activator. This tactic ensures the user unwittingly activates the compromised application.
After the patching process, the malware executes its primary payload by getting a DNS TXT records for a malicious domain and decrypting a Python script from it. The script runs endlessly trying to download the next stage of infection chain which is also a Python script.
The purpose of the next payload is to execute arbitrary commands received from the server. While no commands were received during the investigation and the backdoor was being updated regularly, it’s evident the malware campaign is still in development. The code suggests the commands are likely encoded Python scripts.
Apart from the mentioned functionalities, the script contains two notable features involving the domain apple-analyzer[.]com. Both functions aim to check for the presence of cryptocurrency wallet applications and replace them with versions downloaded from the specified domain. This tactic was observed targeting both the Bitcoin and Exodus wallets, turning these applications into malicious entities.
“The macOS malware linked to pirated software, highlights the serious risks. Cybercriminals use pirated apps to easily access users’ computers and get admin privileges by asking them to enter the password. The creators show unusual creativity by hiding a Python script in a DNS server’s record, increasing malware’s level of stealth in the network’s traffic. Users should be extra cautious, especially with their cryptocurrency wallets. Avoid downloading from suspicious sites and use trusted cybersecurity solutions for better protection,” says Sergey Puzan, a security researcher at Kaspersky.
To learn more about the crypto Trojan and backdoor for macOS on Securelist.com
To stay safe from Trojans and secure your crypto assets, Kaspersky researchers recommend implementing the following measures:
- It’s safer to download your apps only from official stores like Apple App Store. Apps from these markets are not 100% failsafe, but at least they get checked by shop representatives and there is some filtration system — not every app can get into these stores.
- Install a trusted security solution and follow its recommendations. Then secure solutions will solve the majority of problems automatically and alert you if necessary.
- Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
- Secure your seed phrase: When setting up your hardware wallet, make sure to write down and securely store your seed phrase. A reliable security solution, such as Kaspersky Premium, will protect your crypto details stored on your mobile device or PC.
- Use a strong password: avoid using easily guessable passwords or reusing passwords from other accounts. To manage passwords effectively and securely, consider utilizing Kaspersky Password Manager.