Newly discovered cracked applications being distributed by unauthorized websites are delivering Trojan-Proxy malware to macOS users who are looking for free or cheap versions of the software tools they want.

The malware can be used by bad actors for a range of malicious activities, including hacking into systems or running phishing campaigns.

“Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods,” Sergey Puzan, a threat intelligence researcher with Kaspersky, wrote in a report this week.

The cross-platform malware – versions include elements for Windows and Android – is the latest in ongoing efforts by threat groups to target macOS users through cracked applications downloaded from such unauthorized websites.

No Free Lunch

“Oftentimes, users are not willing to pay for software tools they need, so they go searching the Web for a ‘free lunch,’” Puzan wrote. “They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.”

He noted that original – and unaltered – applications are normally distributed as a disk image. However, the infected versions came at .PKG installers.

“These files are handled by the Installer dedicated utility in macOS, and they can run scripts before and after actual installation,” Puzan wrote. “In the examples we gathered, scripts were run only after the application was installed.”

The script code with the Trojan-Proxy malware contains two suspicious files – WindowsServer and p.plist – that come along the cracked application resources. The script replaces two legitimate files with those two from the resources folder and grants administrator permissions to the suspicious files.

“As an installer often requests administrator permissions to function, the script run by the installer process inherits those,” he wrote. “The p.plist (or GoogleHelperUpdater.plist) is a configuration file. Its contents suggest that it imitates a Google configuration file and has only one job: auto-starting the WindowServer file, with a path set to ${VAR}, as a system process after the operating system is loaded.”

Masked as WindowServer

The malware is made to appear as WindowServer, a universal format binary file, to hide its presence, which seemed to work. Kaspersky researchers found several versions of the application, including the earlier one uploaded to VirusTotal on April 28. None of the versions were tagged as malicious by cybersecurity vendors, Puzan wrote.

The malware finds several ways to hide itself. After the trojan starts, it creates a log file and tries to gete a command-and-control (C2) server IP address through DNS-over-HTTPS (DoH), which makes the DNS request look like a regular HTTPS request, which keeps it hidden from traffic monitoring tools. Once it gets a response, the malware creates a connection with the C2 server via WebSocket by sending the application version and awaiting a command with a message.

Keeping the Malware Hidden

Using DoH and WebSockets indicates that sophisticated hackers want to avoid network-based detection tools that enterprises deploy, according to Lionel Litty, chief security architect at Menlo Security.

“DoH will often mean the malware can evade detection from products that look at DNS traffic for IOCs, since DNS traffic is now wrapped within HTTPS connections that may not be inspected or that are inspected by solutions that do not understand DoH semantics,” Litty told Security Boulevard in an email. “Likewise, network devices that inspect HTTPS traffic may not understand WebSocket semantics and may fail to run signature-based detections that target the payloads of [C2] traffic used by the malware.”

Along with application targeting macOS, Kasperky also discovered similar Trojan-Proxies that hide in cracked software for Android and Windows that connected to the same C2 server, Puzan wrote.

Ripple Effects

Callie Guenther, senior manager of cyberthreat research at Critical Start, called having malware embedded in cracked versions of popular software “an alarming trend in cyber threats targeting macOS systems” and that such security incidents create ripple effects.

“For macOS users, the primary implication is a significant compromise in security,” Guenther told Security Boulevard in an email. “Users unknowingly installing this Trojan-Proxy are inadvertently turning their devices into nodes for illicit activities. These activities can range from hacking and phishing to facilitating transactions for illegal goods.”

The effects also reach into the network.

“By converting infected devices into proxy servers, it effectively anonymizes the cybercriminals’ activities,” Guenther wrote. “This approach enables them to route malicious or illegal traffic through these proxies, making detection and tracing exceedingly challenging.”

She added that “for threat intelligence, this represents a shift in tactics, indicating that cybercriminals are continually seeking new methods to evade traditional cybersecurity defenses.”

There a number ways to address the threat, with the top one being not downloading software from unauthorized sources.