Wednesday, January 24 2024 – 23:04 WIB
Jakarta – Kaspersky researchers have discovered an unconventional type of macOS malware. This previously unknown suite of malicious software, distributed covertly via pirated apps, targets macOS users’ crypto assets, which are stored in digital wallets.
Unlike the proxy trojans previously discovered by Kaspersky, this new threat focuses on compromising the trojan.
New macOS Backdoor Targets Crypto Asset Wallets
This crypto Trojan is unique in two ways: first, it uses DNS records to deliver its malicious Python scripts. Second, he not only stole the crypto wallet but also replaced the wallet app with an infected version of it.
This makes it possible to steal secret phrases used in accessing crypto assets stored in wallets.
The malware targets macOS version 13.6 and later, indicating a focus on users of newer operating systems, both on Intel and Apple Silicon devices.
Picture disk the compromised ones contained the “activators” and the sought-after applications. The activator, which at first glance appears harmless, activates the compromised application after entering the user’s password.
The attacker uses a pre-compromised version of the application, manipulating the executable file so that it does not work until the user runs the activator. This tactic ensures users activate compromised apps unknowingly.
After the patching process, the malware executes its main payload by obtaining the DNS TXT record for the malicious domain and decrypting the Python script of the domain. The script runs endlessly trying to download the next stage of the infection chain which is also a Python script.
The purpose of the next payload is to execute arbitrary commands received from the server. Although no orders were received during the investigation and backdoor updated regularly, it is evident that the malware campaign is still in development.
New macOS Backdoor Targets Crypto Asset Wallets
The code indicates that the command is most likely a coded Python script.
Apart from the mentioned functions, the script contains two important features involving the apple-analyzer domain[.]com.
These two functions aim to check the existence of a crypto asset wallet application and replace it with a version downloaded from the specified domain. This tactic appears to target Bitcoin and Exodus wallets, turning these applications into malicious entities.
2024-01-24 16:04:02
#Pirates #Target #Crypto #Asset #Wallets