Jamf Threat Labs has detected a series of pirated macOS applications that have been modified to communicate to attacker infrastructure.
These applications are being hosted on Chinese pirating websites in order to gain victims. Once detonated the malware will download and execute multiple payloads in the background in order to secretly compromise the victims machine.
Jamf Threat Labs has noted a number of similarities between this malware and the ZuRu malware, which was originally discovered in 2021 and has been blogged about by Objective-See andTrend Micro.
The ZuRu malware was originally found in pirated applications iTerm, SecureCRT, Navicat Premium, and Microsoft Remote Desktop Client. Similar to findings of the ZuRu malware in 2021, this malware also appears to primarily target victims in China based on the uploads Jamf Threat Labs has seen to VirusTotal, the hosting of apps on pirated Chinese websites, and the attacker infrastructure which communicates with Chinese IP addresses.
This is not the first time Jamf Threat Labs has seen malware within pirated applications.
“One of the major difficulties in dealing with users who install pirated applications is that they expect to see security alerts, as the software isn’t legitimate,” says Jamf Threat Labs.”This expectation leaves them willing to skip past any security warning prompts built into the operating system, such as Gatekeeper, which informs users that these applications are not safe to open. Jamf Threat Labs remains vigilant in detecting these changes to keep customers safe and blocks this malware with our threat prevention feature.”