Cybersecurity researchers from Jamf Threat Labs have uncovered a new piece of malware targeting macOS users.
The malware, though unnamed, shares many similarities with another malicious piece of code discovered in 2021, called ZuRu.
In a detailed report, the researchers said the malware was found hiding in three separate, pirated software. The software, including Microsoft Remote Desktop, was found on a Chinese website that provides links to different pirated applications.
The ghost of ZuRu
If a user downloads and runs any of the compromised applications, the malware will download and execute multiple payloads in the background. These payloads are all tasked with different things, from serving as a dropper, to being a backdoor, to working as a persistent downloader to deliver additional malicious payloads.
The targets, obviously, seem to be Chinese macOS users, similar to what ZuRu did three years ago.
Back in 2021, cybersecurity researchers from Objective-See and Trend Micro observed ZuRu hiding in pirated versions of applications such as iTerm, SecureCRT, Navicat Premium, and Remote Desktop Client. The people that downloaded these apps found them working as intended, but were oblivious to the fact that a Python script was being executed in the background.
This script stole sensitive data from the victim endpoint and sent them to a command & control (C2) server used by the attackers.
“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” Jamf’s researchers said.
Pirated software is a great place to hide malware, the researchers also added, as users understand they’re engaged in illegal activity and expect their antivirus programs to raise a flag. “This leaves them willing to skip past any security warning prompts built into the operating system such as Gatekeeper, which informs the user that these applications are not safe to open,” they concluded.
Thus, the best way to protect against such threats is not to steal and download pirated software in the first place.