A month ago, we discovered some cracked apps circulating on pirating websites and infected with a Trojan proxy. The malicious actors repackaged pre-cracked applications as PKG files with an embedded Trojan proxy and a post-install script initiating the infection. We recently caught sight of a new, hitherto unknown, macOS malware family that was piggybacking on cracked software. The threat proved far more potent than an unauthorized proxy server installation.
Stage 1. Activator.app
The samples we found could be successfully run on macOS Ventura 13.6 and later, suggesting that the operators were targeting only users of the newer operating system versions on both Intel processors and Apple silicon machines. The compromised disk images contain a program named “Activator” and the application that the user is looking to install. Opening/mounting the image brings up a window with installation instructions.
Window with installation instructions
The instruction tells the user to copy the app to /Applications/ and then launch Activator. The latter looks fairly unsophisticated: just a PATCH button that displays a password prompt when clicked.
Activator window and password form
A look under the hood revealed an interesting fact right away: the application in the Resources folder somehow contained a Python 3.9.6 installer and an extra Mach-O file with the name tool. The main Fat Mach-O file, tellingly named GUI, essentially implemented the PATCH button, clicking which launched two events:
The Python installer was copied to the temporary file directory: /tmp/
The tool exec ..
Support the originator by clicking the read the rest link below.
