By downloading pirated software, you can become a curtain for cybercrime behind the scenes.
Kaspersky Lab reports that cybercriminals have launched a new campaign against Mac users, using a proxy Trojan that spreads through copyrighted popular macOS programs available on malicious sites. The proxy Trojan turns computers into traffic forwarding terminals that are used to anonymize malicious or illegal activities, such as hacking, phishing, and transactions involving illegal goods.
Similar activities related to the sale of access to proxy servers have given rise to large botnets. Moreover, as Kaspersky Lab emphasizes, Mac devices were also among the victims. The discovered campaign, which was first mentioned on April 28, 2023, exploits users desire to save money on purchasing licensed software.
Kaspersky Lab detected 35 infected programs, including popular tools for image editing, video editing, data recovery, and network scanning.
It is important to note that unlike the original programs distributed as disk images, infected versions are offered in PKG format. This format is very dangerous because it allows you to execute scripts during installation, which can lead to unauthorized access and changes to the system.
It is especially dangerous if such scripts, like the installer files, are run with administrator rights. This level of access allows an attacker to perform malicious actions, including modifying files, autoruning files, and executing commands.
After installing the infected program, a Trojan is activated that disguises itself as the WindowServer process-a legitimate macOS system process. This action allows the Trojan to remain invisible and integrate into the system's routine operations.
The executable file "GoogleHelperUpdater. plist", which mimics the Google configuration file, also helps to hide the virus. After activation, the Trojan communicates with its Command and Control (C2) server via DNS-over-HTTPS (DoH), receiving commands for its operation. Kaspersky Lab analysis showed that the virus can create TCP or UDP connections, providing traffic proxying.
In addition to the macOS campaign using PKG, the same management infrastructure hosts proxy Trojans for the Android and Windows architectures, so the same operators probably target a wide range of systems.
Kaspersky Lab reports that cybercriminals have launched a new campaign against Mac users, using a proxy Trojan that spreads through copyrighted popular macOS programs available on malicious sites. The proxy Trojan turns computers into traffic forwarding terminals that are used to anonymize malicious or illegal activities, such as hacking, phishing, and transactions involving illegal goods.
Similar activities related to the sale of access to proxy servers have given rise to large botnets. Moreover, as Kaspersky Lab emphasizes, Mac devices were also among the victims. The discovered campaign, which was first mentioned on April 28, 2023, exploits users desire to save money on purchasing licensed software.
Kaspersky Lab detected 35 infected programs, including popular tools for image editing, video editing, data recovery, and network scanning.
It is important to note that unlike the original programs distributed as disk images, infected versions are offered in PKG format. This format is very dangerous because it allows you to execute scripts during installation, which can lead to unauthorized access and changes to the system.
It is especially dangerous if such scripts, like the installer files, are run with administrator rights. This level of access allows an attacker to perform malicious actions, including modifying files, autoruning files, and executing commands.
After installing the infected program, a Trojan is activated that disguises itself as the WindowServer process-a legitimate macOS system process. This action allows the Trojan to remain invisible and integrate into the system's routine operations.
The executable file "GoogleHelperUpdater. plist", which mimics the Google configuration file, also helps to hide the virus. After activation, the Trojan communicates with its Command and Control (C2) server via DNS-over-HTTPS (DoH), receiving commands for its operation. Kaspersky Lab analysis showed that the virus can create TCP or UDP connections, providing traffic proxying.
In addition to the macOS campaign using PKG, the same management infrastructure hosts proxy Trojans for the Android and Windows architectures, so the same operators probably target a wide range of systems.
