Mac Malware Masquerade: Pirated Apps Open Backdoor to Your Machine

According to researchers from Jamf Threat Labs, pirated applications for the macOS operating system distributed on Chinese websites are embedded with malicious software that grants attackers remote access to infected computers.

Among these applications are popular ones such as Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop’s remote access utility.

The malicious code, integrated into the installer files with a DMG extension, is designed to communicate with the attackers’ servers. Additionally, these applications, lacking a digital signature from the developer, incorporate a component named “dylib,” which is activated with each launch. This, in turn, downloads a backdoor “bd.log” and a loader “fl01.log” from a remote server, securing a foothold in the system and installing additional modules.

The backdoor is preserved in the directory “/tmp/.test” and grants full access to the infected system. Since it resides in the temporary directory “/tmp,” it is removed when the computer is shut down but is recreated upon the next application launch.

Meanwhile, the loader is placed in the hidden directory “/Users/Shared/.fseventsd,” creates a task for auto-launch upon system startup, and sends an HTTP request to the attackers’ server. Although this server is currently inaccessible, the loader was initially designed to save the response in the file “/tmp/.fseventsds” and subsequently execute the received malicious code.

Experts believe this malware is akin to the previously identified ZuRu malware, which was also disseminated through pirated applications on Chinese sites. Likely, it represents a new iteration of the ZuRu malware, given the selection of target applications, methods of insertion, and the hackers’ infrastructure.