The Hidden Threat in Pirated macOS Applications: Unveiling a New Malware Campaign

Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley discovered a new macOS malware campaign lurking within pirated software. This new malware, resembling the notorious ZuRu malware, operates by injecting malicious payloads into pirated macOS applications found on Chinese pirating websites, thereby compromising users’ machines without their knowledge.

The Jamf Threat Labs team stumbled upon a suspicious executable named `.fseventsd`, hidden due to its prefix with a period and mimicking an operating system process, raising immediate red flags for further investigation. This executable was part of a larger DMG file containing pirated applications backdoored with the same malware. Notably, these compromised applications were distributed through macyy[.]cn, a site known for hosting pirated software.

Image: jamf

The infected applications employ a malicious dynamic library (dylib) that acts as a dropper, executing malicious binaries each time the application is opened. These binaries include:

• Malicious dylib: Serves as the dropper for other payloads.
• Backdoor: Utilizes the Khepri open-source command and control (C2) and post-exploitation tool.
• Persistent downloader: Sets up persistence and fetches additional payloads.

One particularly sneaky aspect of this campaign is the modification of legitimate application bundles to include an additional load command, which triggers the execution of the malware upon opening the app.

The malware showcases advanced macOS malware techniques, such as using a malicious dylib to hook into applications, breaking the application’s signature. This dylib reaches out to specific URLs to download payloads encoded with a custom XOR routine, cleverly designed to evade detection and analysis.

Furthermore, the malware manipulates command-line arguments to blend in with legitimate system processes, a technique aimed at avoiding detection by savvy users and security tools. This manipulation allows the malware to maintain a low profile on infected machines.

Among the downloaded executables, one functions as a persistent downloader, creating a LaunchAgent to ensure its execution at system startup, disguising itself with a com.apple prefix to appear legitimate. This component is capable of executing arbitrary payloads from the attacker’s server, representing a significant threat to system security.

This campaign’s similarities to the ZuRu malware discovered in 2021 suggest it might be a successor, targeting the same victim pool and utilizing modified load commands and attacker infrastructure. The primary targets appear to be users in China, based on the distribution channels and IP addresses associated with the malware’s command and control servers.

Jamf Threat Labs’ discovery highlights the ongoing risk posed by pirated software and the sophisticated means by which attackers exploit such channels to disseminate malware. Users are often willing to bypass security warnings to access pirated applications, a behavior that attackers exploit to spread malware. This campaign underscores the importance of vigilance and the dangers of compromising digital security for unauthorized software access.