Here's another reason why you shouldn't download cracked or pirated software to your macOS device. There is malware lurking inside.
Cybersecurity researchers at Kaspersky Lab warn that new malware built for the Apple ecosystem is being distributed on websites that claim to offer cracked applications.
Victims download the PKG file thinking they have obtained an activator for a cracked app they previously downloaded. They place the PKG in the /Applications/ folder as part of the steps to “activate” the cracked software.
macOS malware strikes again
On the surface, the malware behaves as it is “intended” to do. The victim will be shown a fake Her Activator window requesting the administrator password. Indeed, the malware connects to a command and control (C2) server and obtains a script that can execute arbitrary commands on the target endpoint.
What's interesting about this malware is how it connects to the C2 server with the correct URL. Extract words from two hard-coded lists and add a random 5-character sequence as a third-level domain name. That way, malicious activity is hidden within normal traffic.
“Using this URL, the sample sent a request to the DNS server in an attempt to retrieve the TXT record for the domain,” Kaspersky explained.
The final payload gives the attacker all sorts of advantages, from backdoor access to information about the compromised system. Among other things, the malware looks for Bitcoin Core and Exodus wallets on compromised devices and replaces them with backdoored copies if found. If the victim attempts to log into the wallet again, funds can be exfiltrated almost instantly.
Kaspersky also said that while investigating the malware, the C2 returned with an upgraded version of the backdoor script, indicating continued development. However, command execution is not yet available, suggesting the malware is still a work in progress, Kaspersky said.
via peepee computer