Trojan-Proxy malware spreading via pirated software in Apple macOS

Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware. Kaspersky found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools. The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools.    

This suggests that users searching for pirated software are the targets of the campaign. 

"Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said. 

In contrast to their authentic and unaltered counterparts distributed as disk image (.DMG) files, the fraudulent versions are delivered in the form of .PKG installers. These installers are equipped with a post-install script designed to activate malicious behaviour after installation. 

The ultimate objective of this campaign is to launch the Trojan-Proxy, disguising itself as the WindowServer process on macOS to avoid detection. WindowServer, a fundamental system process, is responsible for managing windows and rendering the graphical user interface (GUI) of applications. 

Upon initiation, the Trojan-Proxy seeks to obtain the IP address of the command-and-control (C2) server through DNS-over-HTTPS (DoH). This is achieved by encrypting DNS requests and responses using the HTTPS protocol.