The cracked software it was observed infect Apple macOS users with previously undocumented data-stealing malware, to be precise, a series of activators (not dissimilar come on KMS on Windows), capable of collecting system information and data relating to the cryptocurrency wallet (also called “wallet”).
What are the dangers of these activators according to Kaspersky and cybersecurity experts
Kaspersky, which has identified the various counterfeit software (including activators for them) in circulation, stated that they are designed to attack machines running macOS Ventura 13.6 and laterindicating the malware's ability to infect Macs with both Intel and Apple silicon processor architectures.
The attack chains exploit infected disk image files typical of macOS (the famous DMG files) which include a program called “Activator” (i.e. the activators, precisely) and a pirated version of legitimate software like xScope.
Users opening DMG files are advised to move both files to the Applications folder and run the Activator component. to apply a supposed patch and run the xScope app.
Starting Activator (and activators of this type in general), however, displays a prompt asking the victim to enter the system administrator password, thus allowing them to run a Mach-O binary with elevated permissions to launch the modified xScope executable.
“The idea was that the attackers had taken pre-cracked versions of the applications and added a few bytes to the beginning of the executable, thus disabling it to cause the user to launch Activator“said security researcher Sergey Puzan.
The next step involves contacting a command and control (C2) server to retrieve an encrypted script. URL C2, in turn, is constructed by combining words from two hard-coded lists and adding a random sequence of five letters as the name of third level domain.
A DNS request for this domain is then sent to retrieve three records DNS TXTeach containing a fragment of Base64 ciphertext which is deciphered and assembled to build a Python script, which, in turn, establishes persistence and acts as a downloader reaching “apple-health[.]org” every 30 seconds to download and execute the main payload.
“This was a rather interesting and unusual way of contacting a command and control server and hiding the activity in the traffic, ensuring the payload was downloaded, since the response message came from the DNS server“Puzan explained, calling it “seriously ingenious.”
The backdoor, actively maintained and updated by the authors of these types of (fake) activators, is designed to execute received commands, collect system metadata and check for the presence of Exodus and Bitcoin Core wallets on the infected host.
If found these activators, the applications are replaced by trojanized versions downloaded from the “apple-analyser[.]com” that are equipped to exfiltrate the recovery phrasewallet unlock password, name and balance to a server controlled by the malware author.
“the final payload was a backdoor that could run any script with administrator privileges and replace wallet applications [wallet] cryptocurrencies Bitcoin Core and Exodus installed on the machine with infected versions that stole the secret recovery phrases at the time the wallet [wallet digitale per criptovalute] was unlocked“Puzan said.
Development occurs while the software is cracked is increasingly becoming a means of compromising macOS users with a variety of malwareamong which Trojan-Proxy And ZuRu.
A couple of considerations about it
Well, once again the famous myth of the impenetrable and virus-free Mac falls; what many people don't understand is that a program costs money and it also costs effort to make a work of reverse engineering to be able to make the software go without the original license.
I therefore invite you to reflect on something: would you spend €5000 on a software and then, through a lot of effort (reverse engineering), make sure it goes without problems and easily distribute it around for free without demanding anything in return? I doubt it; and if those who do these reverse engineering works don't earn money directly, still benefits from the exfiltration of personal data which will, in fact, be resold somewhere later.
Unfortunately the myth that whatever is behind a screen is a right and does not have to be paid for, it dies hard.
It goes without saying that regardless of whether the computer is a Mac, a Windows operating system or a Linux system, the user must do the first part and pay attention to the sources and prefer the official and safe ones, and if commercial software costs too much, possibly evaluate whether open source and free alternatives to the relevant commercial versions can be useful.
#Cracked #software #activators #macOS #careful
