The Rising Threat of Malware Targeting Macbook Users in the Crypto Space
In the fast-growing world of cryptocurrencies, cybercriminals are increasingly targeting users for their own gain. Recent research by cybersecurity firm Kaspersky has uncovered a sophisticated malware attack specifically aimed at Macbook users involved in the crypto industry.
Harvesting Sensitive Data from Infected Mac Systems
Kaspersky’s experts discovered that attackers repackaged pre-cracked applications as Package (PKG) files commonly used on Macbooks. These files contained a Trojan proxy and a post-installation script. The malware-laden applications were mainly distributed through pirated software channels, tricking users into triggering the infection process by installing the cracked applications.
To deceive users, the infected installation package displayed a window with installation instructions, prompting them to copy the application to the /Applications/ directory and launch an application called “Activator.” However, this step was actually granting the malware administrator privileges.
The Malware’s Main Payload and Communication Method
Once executed, the malware checked for an installed copy of Python 3 on the system. If absent, it installed a copied version from the Macbook operating system directory. The malware then “patched” the downloaded app by comparing it with a sequence hardcoded inside Activator. If a match was found, it removed initial bytes to make the application appear cracked and functional.
The malware established communication with a command-and-control (C2) server through a unique web address generated using hardcoded words and a random domain name. This allowed it to hide its activities within normal DNS server traffic and download its payload.
Harvesting Sensitive Information and Targeting Crypto Wallet Applications
The decrypted script obtained from the C2 server revealed that the malware operated by executing arbitrary commands received from the server. It also harvested sensitive data from the infected system, including operating system version, user directories, installed applications, CPU type, and external IP address.
The malware campaign specifically targeted popular crypto wallet applications like Exodus and Bitcoin-Qt. If detected on an infected system, the malware attempted to replace them with infected versions from a different host. These infected wallets were designed to steal wallet unlock passwords and secret recovery phrases from unsuspecting users.
Ongoing Development and Adaptation by Malware Operators
While analyzing the campaign, Kaspersky observed ongoing development and adaptation by the malware operators. Although the C2 server did not return any commands during their investigation and eventually stopped responding, attempts to download the third-stage Python script led to the discovery of updates in the script’s metadata.
The Continued Threat of Cracked Applications
Kaspersky emphasized that malicious actors continue to distribute cracked applications as a means of gaining access to users’ computers. By exploiting user trust during software installation and prompting them to enter their passwords, attackers can easily escalate their privileges. The techniques employed by this malware campaign demonstrate the “ingenuity” of these attackers.
Hot Take: Protect Yourself from Malware Attacks
As cybercriminals become more sophisticated in their methods, it is crucial for crypto users to remain vigilant against malware attacks. Avoid downloading cracked applications or pirated software, as they often contain hidden malicious code. Regularly update your operating system and applications to protect against known vulnerabilities. Use strong and unique passwords for all your accounts, including crypto wallets. Be cautious of suspicious emails or links that could lead to malware infections. By taking these precautions, you can help safeguard your sensitive information and reduce the risk of falling victim to cyberattacks.
By
By
By
