Mac Malware Alert: Cracked Apps Harbor Trojan-Proxy Threat

Trojan-Proxy
Image: Securelist

In the constantly shifting landscape of cybersecurity, a new, insidious threat has emerged, targeting the macOS ecosystem. Kaspersky researchers have identified several cracked applications disseminated through unofficial channels, harboring a Trojan-Proxy. This malicious software empowers attackers to establish proxy networks for financial gain or engage in illicit activities, including cyberattacks and procurement of illegal goods.

Historically, illegally distributed software has been a trojan horse for sneaking malware onto devices. Cybercriminals, recognizing the tendency of users to seek out cracked applications, have begun embedding a Trojan-Proxy into these applications. Once installed, this malware type can be utilized to construct a proxy server network or engage in criminal activities such as launching attacks, purchasing illegal goods, and more.

Image: Securelist

Differing from their legitimate counterparts, the infected applications are distributed as .PKG installers. Upon installation, these installers execute scripts that perform several malicious actions. They replace certain system files with dubious ones from the application’s resources, notably ‘WindowServer’ and ‘p.plist’, and grant them administrative privileges. The ‘p.plist’ file is particularly deceptive, posing as a Google configuration file to auto-start the ‘WindowServer’ file as a system process upon the operating system’s load.

The ‘WindowServer’ file, a universal format binary file undetected by anti-malware vendors, is key to the Trojan’s operation. After activation, it creates log files and reaches out to a Command & Control (C&C) server using DNS-over-HTTPS (DoH), a technique that masks its DNS requests as regular HTTPS requests, thereby evading traffic monitoring. The Trojan then establishes a WebSocket connection with the C&C server, awaiting commands to execute further malicious activities.

Research reveals an evolution in the Trojan’s versions. Notably, the latest version cannot check or update itself, a feature present but unused in the code. This could imply a shift in the attackers’ strategy or a move towards a more static form of attack. Furthermore, older versions used regular DNS requests instead of DoH to communicate with the C&C server. All versions, however, are consistent in their method of logging activities to specific files, which can be an indicator of the malware’s presence.

Alarmingly, this Trojan-Proxy is not confined to macOS. Similar versions have been found targeting Android and Windows platforms, all connecting to the same C&C server. These discoveries highlight the expansive nature of this threat and underscore the necessity for cross-platform vigilance in cybersecurity efforts.