HQ/EMEAFind out how we can help your business
A new cybercriminal campaign has launched a sophisticated proxy trojan malware through pirated software to target Mac users worldwide. Based on reports, the hackers have bundled their malware with popular, copyrighted macOS applications available on warez sites that could compromise the security of Mac devices.
Once the hackers infect a target, they transform the proxy trojan malware into a traffic-forwarding channel. This technique allows them to anonymise and engage in malicious and illegal actions such as hacking, phishing, and illicit goods transactions. The sale of access to these compromised devices has increased the creation of massive botnets, with Mac devices now falling victim to this threat.
The typical victims of this new proxy trojan malware operation are users who risk their security for perks.
According to investigations, this new proxy trojan malware campaign commonly preys on Mac users willing to compromise the computer’s security in exchange for access to premium apps without paying.
The malware operators have carefully disguised the malware within 35 popular software titles, including image editing, video compression and editing tools, data recovery apps, and network scanning tools.
In addition, some of the most well-known applications that host the malware are the 4K Video Downloader Pro, Aiseesoft Mac Data Recovery, Sketch, and SQLPro Studio. However, unlike legitimate software solutions, the trojanized versions spread as PKG files. This tactic uses a riskier format that allows the execution of scripts during installation.
On the other hand, this tactic could grant the malware admin-level privileges, enabling it to carry out various dangerous actions, such as file modification, autorun, and command execution.
The malware adopts clever tactics to disguise itself within legitimate system processes. It disguises itself as a WindowServer file, a genuine macOS process that manages the graphical user interface. The campaign also cleverly names the malicious file as “GoogleHelperUpdater.plist” for launching WindowServer during OS startup, mimicking a Google configuration file to evade user detection.
Upon execution, the trojan connects with its C2 server using DNS-over-HTTPS (DoH) to receive operational commands. While the specific orders remain undisclosed, the researchers claim the trojan can generate UDP or TCP connections to facilitate proxying, adding a layer of complexity to the malware’s capabilities.
Furthermore, experts claim that this new Mac campaign is part of a broader operation since its C2 infrastructure that hosts the proxy trojan payloads is identical for Android and Windows architectures.
This detail indicates that attackers constantly improve their malware operations to target diverse systems. Mac users should increase their cybersecurity awareness and vigilance to avoid falling victim to this new proxy trojan malware operation.
