New malware targeting Mac users via pirated software, researchers warn

Kaspersky security researchers have warned against a new trojan-proxy malware targeting Mac users. The malware is being distributed through cracked software, allowing the attackers to hijack the victim’s computer and use it as a proxy to connect to the internet.

People using cracked software are always easy targets for cybercriminals as they are usually willing to download software from unknown sites and even pause the antivirus during installation.

The cybercriminals can gain money from these attacks by creating a proxy server network or worse, using the infected devices to perform illegal activities such as launching DDoS attacks and buying guns, drugs, and other illegal goods.

According to the security researchers the infected applications are being distributed as .PKG installers instead of the original untampered .DMG files. The difference is that .PKG files can run scripts before and after the actual installation.

The trojan-proxy malware works by masking itself as the WindowServer process on macOS to evade detection. WindowServer is a core system process responsible for window management and rendering applications' graphical user interface (GUI).

Once it is executed, the malware attempts to obtain the IP address of the command-and-control (C2) via DNS-over-HTTPS (DoH). This makes it very hard to flag it using traffic monitoring tools since it looks like a regular HTTPS request. An older version of the malware was observed that communicated with the C2 server using regular DNS requests.

Once a connection with the C2 server is established, the malware awaits further instructions, including processing incoming messages to parse the IP address to connect to, the protocol to use, and the message to send, signaling that its ability to act as a proxy via TCP or UDP to redirect traffic through the infected host.

There is also evidence that the malware is not just targeting Mac users after the researchers discovered different versions of Android and Windows communicating with the C2 server.

To avoid falling victim, users are encouraged to only download software from legitimate sites.