Illegally distributed software historically has served as a way to sneak malware onto victims’ devices. Oftentimes, users are not willing to pay for software tools they need, so they go searching the Web for a “free lunch”. They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.
We recently discovered several cracked applications distributed by unauthorized websites and loaded with a Trojan-Proxy. Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods.
Postinstall script
Unlike the original, untampered with, applications typically distributed as a disk image, the infected versions came in the form of .PKG installers. These files are handled by the Installer dedicated utility in macOS, and they can run scripts before and after actual installation. In the examples we gathered, scripts were run only after the application was installed.
Contents of the malware script
A look at the script code reveals that the /Contents/Resources/ directory contains two suspicious files in addition to the cracked application resources: WindowServer and p.plist. The script replaces the ~/Library/Application Support/WindowServer and ~/Library/LaunchAgents/GoogleHelperUpdater.plist files with the two files from the resources folder, and grants administrator permissions to these. As an installer often requests administrator permissions to function, the script run by ..
Support the originator by clicking the read the rest link below.
