Cybersecurity researchers at Jamf Threat Labs have discovered a new piece of malware targeting macOS users.
The malware, while unnamed, has many similarities to another malicious piece of code discovered in 2021 called ZuRu.
In a detailed report, researchers said the malware was hidden in three separate, pirated software. The software, including Microsoft Remote Desktop, was found on a Chinese website that provides links to various pirated applications.
The spirit of ZuRu
If a user downloads and runs one of the infected applications, the malware will download and run multiple payloads in the background. These payloads all perform different tasks, from serving as a dropper, to acting as a backdoor, to working as a persistent downloader to deliver additional malicious payloads.
The targets clearly appear to be Chinese macOS users, similar to what ZuRu did three years ago.
In 2021, cybersecurity researchers from Objective-See and Trend Micro saw ZuRu hiding in pirated versions of applications such as iTerm, SecureCRT, Navicat Premium and Remote Desktop Client. The people who downloaded these apps noticed that they worked as intended, but were unaware that a Python script was running in the background.
This script stole sensitive data from the victim’s endpoint and sent it to a command & control (C2) server used by the attackers.
“It is possible that this malware is a successor to the ZuRu malware, given its targeted applications, custom load commands, and attacker infrastructure,” Jamf researchers said.
Pirated software is a great place to hide malware, the researchers added, because users understand they are engaging in illegal activity and expect their antivirus programs to raise a flag. “This makes them willing to skip security warnings built into the operating system, such as Gatekeeper, which informs the user that these applications are not safe to open,” they concluded.
So the best way to protect yourself against such threats is not to steal and download pirated software.