Advanced Malware Attack Targets Macbook Users And Popular Crypto Wallets

Kaspersky Lab recently uncovered a sophisticated malware attack on Macbook users in the crypto realm. Cybercriminals repackaged cracked applications into the prevalent PKG files which are present on Macbook devices, distributing them through pirated software channels. Users unknowingly triggered the infection process, granting administrative privileges by inputting a password into a seemingly harmless application named Activator.

The Context

The malware, after examining the system, communicated with a command-and-control server, concealing its activities within DNS server traffic. It executed arbitrary commands received as Base64-encoded Python scripts, extracting sensitive information by the compromised system. Despite the C2 server being unresponsive during analysis, ongoing script updates indicated ongoing development by the malware operators.

It is worth mentioning that the infected sample established communication with a C2 server by generating a unique Uniform Resource Locator (URL) through a combination of hardcoded words and a random third-level domain name. This method allowed the malware to hide its activities within normal DNS server traffic, ensuring the payload download.

Malware Is To Blame

Notably, the malware targeted popular crypto wallets like Exodus and Bitcoin-Qt, replacing them with infected versions to steal wallet information. Kaspersky highlighted the persistent threat of distributing cracked applications to compromise numerous computers, exploiting trust during software installation. The innovative techniques utilized by the malware, like storing the Python script in a TXT record within a DNS server, were also underscored.

Additionally, the malware featured functionalities specifically targeting the aforementioned popular crypto wallet applications and when these applications were identified on the infected system, the malware sought to replace them with infected versions sourced via a distinct host. These compromised crypto wallets included mechanisms to pilfer wallet unlock passwords and secret recovery phrases through unsuspecting users.