CyberWire Daily - Hooked on pirated macOS applications. [Research Saturday]
Episode Date: January 27, 2024Jaron Bradley from Jamf Threat Labs is sharing their work on "Jamf Threat Labs discovers new malware embedded in pirated applications." Jamf Threat Labs has detected a series of pirated macOS applicat...ions that have been modified to communicate to attacker infrastructure. The research states "These applications are being hosted on Chinese pirating websites in order to gain victims." The discovery marks new and advanced malware, similar to the ZuRu malware, first discovered by Objective-See in 2021 within the iTerm2 application. The research can be found here: Jamf Threat Labs discovers new malware embedded in pirated applications Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We had a detection go off based on one of these static detections.
So we saw a file that was not signed by a developer, which on the Apple platform these days is pretty strange.
Essentially, we noticed that it also had a file name that it was assigning that kind of mimicked one of Apple's built-in processes.
And so that kind of set this off for us as pretty weird
and something we wanted to look more into.
That's Jaron Bradley. He's a director at Jamf Threat Labs.
The research we're discussing today is titled
Jamf Threat Labs Discovers New Malware Embedded in pirated applications.
Well, let's walk through it together here.
I mean, what is fundamentally at play here and how would somebody find themselves falling victim to this?
Yeah, definitely.
So after kind of tracking, taking this, what we discovered to be malware and then tracking it backwards Yeah, definitely. from a DMG file, which usually hold applications. Generally how, you know, macOS applications are downloaded
or distributed is through DMG files.
And when we went and grabbed the DMG file that was responsible,
you know, we noticed that it had an app name and icons
and everything that looked very, very much like apps that already existed.
And therefore, you know, it kind of clued us into, oh, these are,
or this initial sample is probably very much, it's very likely it's a pirated application
or a cracked application.
And we kind of, we kept pulling at that thread and looking around.
And then sure enough, on the internet, on some different pirating sites,
we found multiple apps that kind of had the same malware embedded within it.
Are there particular apps that they're targeting here? Are they going after a certain category?
They mostly seem to be applications that were popular in some sense or that many power users might even want to use.
For instance, database management tools, shell applications or alternatives to the terminal, remote desktop tools, a lot of power user type tools.
So let's say that I'm someone who's looking to get one of these pirated apps.
I'm looking to save a few bucks for me or, goodness forbid, my company.
And I download one of these DMG files and I try to install it or run it.
I mean, what happens next?
Yeah, in the background, you're essentially
compromised. You're going to get some pop-ups from the operating system, right? Some warnings
that say, hey, we can't verify the legitimacy of this file. But usually, when your users
are downloading pirated applications, they're kind of expecting to see those pop-ups, right?
They're expecting to have to click through a couple warnings
when installing pirated or cracked applications.
So unfortunately, usually those warnings just kind of get blown right through.
You get a working application most of the time,
so long as these programs were cracked in the manner that could still be successful.
But in the background, outside of the app just working, which is, of course, presented
to the user, there's a whole slew of things being done in the background that you wouldn't
get out of the legitimate application.
Well, let's run through those together.
What sort of capabilities do they have here?
Yeah, so looking into this malware, what we noticed was the Kepri backdoor being downloaded.
Kepri is an open source project on GitHub, so anybody with some coding or GitHub experience could probably download that and compile it relatively easy.
And it's very likely people are doing that.
So it's a backdoor with built-in functionality.
All you really have to do is host kind of a server
and then manage to get one of these clients that you've built with Kepri
embedded in your malware or convince a user to run it somehow.
And these pirated apps were kind of that hidden way to do that for whoever the attacker is
on the other side.
What do they seem to be after here?
What's the information they're trying to gather?
Yeah, so it's hard to
say exactly. There is a single payload, part of the malware, one of the final stages. The attacker
had taken the command and control portion of that down, where the final piece of malware was being
hosted. That could be anything. We did note some, with this malware, some similarities to the Zuru malware, which was definitely interested in stealing files, basically information it could get off your system about you, maybe your passwords, your keychain, stuff like that.
But without knowing what that final payload was, it's likely that was a big piece of maybe the final objectives but outside of those final objectives uh there was a
whole as we said the uh the whole kepri backdoor install would still allow uh the attacker to
maintain a connection to the system where essentially their their objectives could be
carried out through that backdoor which has functionality for downloading files uploading
files to the victim um executing additional payloads or additional binaries that they might upload to that system, things like that.
Well, help me understand here.
I mean, is the malware embedded in the pirated software itself or is it installed separately and running surreptitiously behind the scenes?
Yeah, it's behind the scenes. The way it's installed is actually pretty clever on the
attacker's side. For those that maybe haven't been in the macOS world of security for super long,
essentially a lot of malware that we've seen to date has been, you know, even up till,
I guess, even up till maybe a year or two ago,
there's just been a lot of malware that is an app, it convinces users, it's legitimate,
and it does some, you know, it does some malicious stuff. Not a lot of creativity in terms of
social engineering or getting, being really convincing for users. But as of late,
we've seen more stuff using techniques like we saw this malware using.
And what that is, is basically someone has taken the application,
and they've added what we called a load command to the application binary itself.
And what that does is basically, it's when the attacker goes in,
and they manually modify some of the low-level components of the application to import an additional piece of code that is packaged and sitting inside the application bundle.
And it does that without the user really being able to tell, unless you know how to do some reverse engineering, know how to use some different sleuthing tools on executables.
It does this technique that we call like a Dylib sideload, essentially.
And within that malicious library that it is modified,
or within that library is where all the malicious code is held,
that kicks off the malware.
So essentially what that does is anytime
the user opens the application, the malicious library is loaded on the side and handles
everything in the background. So yeah, all of that's being done in the background. Persistence
is being set up, additional persistence, so that there's two ways it persists. A, you open the app,
right? Anytime you open the app, right?
Anytime you open the app,
the malware does a little check and it runs itself again.
B, it sets up a launch agent
that will essentially also run
anytime the computer starts the system.
So there's two ways for the malware
to run in the background,
even if you're not using the app,
it's still possible.
And now a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And would there be any indication to the user that anything was amiss?
No, there wouldn't be in this case. You could see apps possibly requesting permissions to do things. For instance, these pirated apps might be something might pop up and say Microsoft remote desktop wants access to your files.
Right. Like Mac OS has some built in features that will keep apps from accessing certain files until the user
approves that. You might all of a sudden see some of these cracked apps requesting permissions to
do things, but again, most users aren't going to think much of that given that they're pirated apps
and they kind of expect some of these warnings, right? Yeah. So, I mean, obviously, when you talk about protecting yourself against these sorts of things,
obviously, don't download and install pirated apps. But what about at an organizational level?
You know, if I'm running my business and I want to protect myself against, you know, that seemingly well-meaning user
who's maybe trying to try something out
or save the company some money or whatever.
Is there anything I can do on an organizational level
to try to protect my installed Mac systems
from this sort of thing?
Yeah, that's a great question.
And like you're saying, obviously,
the hands-down no-brainer,
like how should you protect yourself from this,
is don't download pirated apps, right?
Like you're 100% accurate on that.
Right, yeah.
And not to mention, like, this is not the first time this has happened.
This has been since the history of, you know, cracking and malware
that malware has been embedded inside applications, Mac OS included.
But from the organizational perspective, definitely harder, right?
Definitely more difficult.
That's why we have a whole company set up around trying to make things easier on Mac OS
is because originally these computers were built to be kind of personal computers.
They were not really built to be in the corporate environment.
And if they were, there was kind of hacky ways to get them in there.
But we've been seeing more, right?
It's not just the CEOs anymore who are using the Apple computers.
There's plenty of employees that want that and want that freedom that macOS has to offer.
So essentially, security software and policies, these are both things you're able to enforce in some manner using some different what's called MDM software.
So the ability to kind of manage these macOS computers remotely as an admin in a similar way that you'd be able to do it, you know,
for a Windows computer.
So really trying to enforce policy, running security software, you know, like some people,
they still like they think Mac and they think, oh, it's just it's inherently safe.
I don't I don't need security software.
We would push against that, especially in a corporate environment, right, where you
can't really control what users are just going to go out and download on the internet. There's some good built-in security
features from Apple to the app operating system. X-Protect is one of them. It's a antivirus scanner
that tries to scan things as you're opening them up. But security software is allowed to be a bit
more flexible than probably Apple can be when they have to
protect the entire world. And security software can kind of scope in on what threats are out there
and provide additional coverage. So that would be my answer there. You sort of allude to looking
at this from a higher level, and I'd love to get your take as someone who is deep in the world of Mac malware.
Can you give us a little bit of a reality check
on the state of things?
Because I think as you say,
I think lots of people on macOS have this feeling,
some would say smugness,
that, and by the way,
I count myself as a loyal Mac user,
so I'm calling myself out here, that they are better protected
or that they don't have to worry about these things.
I mean, what's the truth there? Where do we stand?
Yeah, that's a great question.
And I think, I mean, it does definitely open a lot of additional questions, right?
Like a lot of us still remember looking back on the commercials with, I'm a Mac, I'm a PC.
Like, I don't have any viruses, you know, look at me.
And that stuck with a lot of us, I think.
And in reality, it's just not true anymore.
reality, it's just not true anymore. An example that I give a lot, if anyone's read The Cuckoo's Egg, it's a book by Cliff Stoll. It's a book about one of the first nation-state intrusions,
really, at least the first recorded one, I guess I should say, about a guy who was working at Berkeley.
And at the time, he had found an accounting error, like on one of the sheets for who was
paying for the internet.
Somebody was getting away with free internet time.
This was a thing back then.
But the operating system of choice there at Berkeley at the time, uh, was not, uh, you know, it was not windows. Um, it was not, it was not Apple's platform. It was free VSD or some form of Unix. Right. And this is what attackers were going after because it held all the research. Um, and the attack at a high level looks very much the same.
and the attack at a high level looks very much the same.
Attackers get on a system, they move about laterally,
they find the good research,
they find a way to get that research out to their systems.
So what that really tells us is it's not about the security of the platform. It's about the market share, really,
what systems do attackers need to be familiar with to get the good data.
And I think as we see the Apple market share kind of continue to shift
and continue to gain a little more momentum in the workplace,
we're going to continue to see more and more malware coming out for Mac.
And if you kind of look at the Mac malware of the past few years,
you'll see that that is indeed true.
As the market share has shifted a little,
the malware has come more and more to light.
Our thanks to Jaron Bradley from Jamf Threat Labs for joining us.
The research is titled,
Jamf Threat Labs discovers new malware
embedded in pirated applications.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Thank you. smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive producers are Jennifer
Iben and Brandon Karpf. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for
listening. We'll see you back here next time. Thank you.