Security researchers have detected a new strain of malware hidden in some commonly pirated macOS applications. Once installed, the apps unknowingly execute trojan-like malware in the background of a user’s Mac. What happens from here is nothing good…
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
This is Security Bite, your weekly security-focused column on 9to5Mac. Every Sunday, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, and sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices. Stay informed, stay secure.
While investigating several threat alerts, Jamf Threat Lab researchers came across an executable file with the name .fseventsd. The executable uses the name of an actual process (not by accident) built into the macOS operating system used to track changes to files and directories and store event data for features like Time Machine backups. However, .fseventsd isn’t an executable. It’s a native log. On top of this, Jamf found that Apple did not sign the suspicious file.
“Such characteristics often warrant further investigation,” Jamf Threat Labs stated in a blog post about the research led by Ferdous Saljooki and Jaron Bradley. “Using VirusTotal we were able to determine that this curious-looking .fseventsd binary was originally uploaded as part of a greater DMG file.”
The duo discovered five disk image (DMG) files containing modified code of commonly pirated applications, including FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.
“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf explains. “Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”
While on the surface, the apps may look and behave as intended, a dropper is executed in the background to establish communications with an attacker-controlled infrastructure.
At a higher level, the .fseventsd binary executes three malicious activities (in this order). First, the malicious dylib (dynamic library) file is loaded, which acts as a dropper executing each time the application is opened. This is followed by a backdoor binary download that uses the Khepri open-source command-and-control (C2) and post-exploitation tool and a downloader that sets up persistence and downloads additional payloads.
The Khepri open-source project can allow attackers to collect information about a victim’s system, download and upload files, and even open a remote shell, Jamf explains. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands, and attacker infrastructure.”
Interestingly, since the Khepri backdoor remains hidden in a temporary file, it deletes whenever the victim’s Mac reboots or shuts down. However, the malicious dylib will load again the next time the user opens the application.
How to protect yourself
While Jamf believes this attack primarily targets victims in China (on [.]cn websites), it’s important to remember the inherent dangers of pirated software. Unfortunately, many of those installing pirated apps are expecting to see security alerts because the software isn’t legitimate. This leads them to rapidly smash the “Install” button, skipping over any security warning prompts from macOS Gatekeeper.
In addition, install reputable antivirus and anti-malware software. While this particular malware can slip through undetected, having an extra layer of defense on Mac is always good practice.
More on security and privacy
Follow Arin: Twitter (X), LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.
Security researchers have detected a new strain of malware hidden in some commonly pirated macOS applications. Once installed, the apps unknowingly execute trojan-like malware in the background of a user’s Mac. What happens from here is nothing good…
9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
This is Security Bite, your weekly security-focused column on 9to5Mac. Every Sunday, Arin Waichulis delivers insights on data privacy, uncovers vulnerabilities, and sheds light on emerging threats within Apple’s vast ecosystem of over 2 billion active devices. Stay informed, stay secure.
While investigating several threat alerts, Jamf Threat Lab researchers came across an executable file with the name .fseventsd. The executable uses the name of an actual process (not by accident) built into the macOS operating system used to track changes to files and directories and store event data for features like Time Machine backups. However, .fseventsd isn’t an executable. It’s a native log. On top of this, Jamf found that Apple did not sign the suspicious file.
“Such characteristics often warrant further investigation,” Jamf Threat Labs stated in a blog post about the research led by Ferdous Saljooki and Jaron Bradley. “Using VirusTotal we were able to determine that this curious-looking .fseventsd binary was originally uploaded as part of a greater DMG file.”
The duo discovered five disk image (DMG) files containing modified code of commonly pirated applications, including FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit.
“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf explains. “Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”
While on the surface, the apps may look and behave as intended, a dropper is executed in the background to establish communications with an attacker-controlled infrastructure.
At a higher level, the .fseventsd binary executes three malicious activities (in this order). First, the malicious dylib (dynamic library) file is loaded, which acts as a dropper executing each time the application is opened. This is followed by a backdoor binary download that uses the Khepri open-source command-and-control (C2) and post-exploitation tool and a downloader that sets up persistence and downloads additional payloads.
The Khepri open-source project can allow attackers to collect information about a victim’s system, download and upload files, and even open a remote shell, Jamf explains. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands, and attacker infrastructure.”
Interestingly, since the Khepri backdoor remains hidden in a temporary file, it deletes whenever the victim’s Mac reboots or shuts down. However, the malicious dylib will load again the next time the user opens the application.
How to protect yourself
While Jamf believes this attack primarily targets victims in China (on [.]cn websites), it’s important to remember the inherent dangers of pirated software. Unfortunately, many of those installing pirated apps are expecting to see security alerts because the software isn’t legitimate. This leads them to rapidly smash the “Install” button, skipping over any security warning prompts from macOS Gatekeeper.
In addition, install reputable antivirus and anti-malware software. While this particular malware can slip through undetected, having an extra layer of defense on Mac is always good practice.
More on security and privacy
Follow Arin: Twitter (X), LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.