Proxy Malware for macOS Spreads with Pirated Software

By Ava McKinneyOnline Safety

Proxy Malware for macOS Spreads with Pirated Software

Experts from Kaspersky Lab have warned about the discovery of new malware targeting macOS users, which is being distributed through cracked applications and pirate websites. This proxy trojan uses infected computers to redirect traffic and anonymize malicious and illegal activities.

Researchers note that this type of malware can be used to commit a wide range of crimes on behalf of the victim, from attacks on websites, companies, and other users to purchasing weapons, drugs, and more.

Infected Applications

In total, experts found 35 tools for image editing, video compression and editing, data recovery, and network scanning that were infected with this proxy trojan. The most popular software in this campaign includes:

  • 4K Video Downloader Pro
  • Aissessoft Mac Data Recovery
  • Aiseesoft Mac Video Converter Ultimate
  • AnyMP4 Android Data Recovery for Mac
  • Downie 4
  • FonePaw Data Recovery
  • Sketch
  • Wondershare UniConverter 13
  • SQLPro Studio
  • Artstudio Pro

Unlike legitimate software, which is distributed as disk images, the malicious versions are downloaded as .PKG installers. These files are handled by a special Installer utility in macOS and can execute scripts before and after the actual application installation.

In the samples collected by researchers, the scripts were launched only after the program was installed, in order to run the trojan—a file named WindowServer—and disguise it as a system process.

How the Malware Works

The malicious WindowServer turned out to be a universal binary, and analysts found several versions of this application—the earliest of which was uploaded to VirusTotal on April 28, 2023. None of the versions were flagged as malicious by antivirus vendors.

Once launched, the trojan creates log files and tries to obtain the IP address of its command-and-control (C&C) server using DNS-over-HTTPS (DoH), thus hiding the DNS request from traffic monitoring tools and making it indistinguishable from a regular HTTPS request.

After receiving a response, it establishes a connection with the control server at register[.]akamaized[.]ca via the WebSocket protocol, sending its version and waiting for a command and corresponding message in return. Although researchers were unable to observe the commands received by the malware in action, they concluded that the client supports creating TCP or UDP connections to facilitate proxying.

Other Platforms Also Affected

The report notes that, in addition to macOS applications, several samples were found that connect to the same control server but are intended for Android and Windows. These are also proxy trojans and are distributed together with pirated software.

Leave a Reply