A new strain of malware that infects Mac users’ cryptocurrency wallets has been discovered by security researchers. The malware is distributed through cracked applications that users download from unauthorized sources. The malware replaces the original wallet applications with malicious versions that steal the secret recovery phrases.
The malware targets Mac users who are looking for pirated software, such as games, productivity tools, or video editing software. The hackers behind the malware take advantage of the fact that users looking for cracked apps are more likely to disable security on their machines and download installers from questionable websites. This makes it easier for them to trick users into installing the malware along with the pirated software.
The malware targets macOS versions 13.6 and above, indicating a focus on users of newer operating systems, both on Intel and Apple Silicon devices. The malware gains access to a user’s computer security password when the user enters it into an activator box that appears after running the installer. The activator then patches the pirated application to make it functional, but also executes the malware’s primary payload.
The malware uses a clever technique to hide its malicious code. It gets a DNS TXT record for a malicious domain and decrypts a Python script from it. The script runs endlessly trying to download the next stage of the infection chain, which is also a Python script. The purpose of the next payload is to execute arbitrary commands received from the server. The commands are likely encoded Python scripts as well.
What the malware does
Apart from the mentioned functionalities, the script contains two notable features involving the domain apple-analyzer [.]com. Both functions aim to check for the presence of cryptocurrency wallet applications and replace them with versions downloaded from the specified domain. This tactic was observed targeting both the Bitcoin and Exodus wallets, turning these applications into malicious entities.
The infected wallet applications look identical to the original ones, but they have a hidden agenda. When the user tries to open the wallet, the malware steals the secret phrase used to access the cryptocurrency stored in the wallet. The secret phrase is then sent to the attackers, who can use it to transfer the funds to their own accounts.
The malware also has a backdoor that can run any scripts with administrator privileges. This means that the attackers can perform other malicious actions on the compromised machine, such as installing more malware, stealing personal data, or deleting files.
How to protect yourself
The malware campaign is still in development, according to the researchers from Kaspersky who discovered it. They also noted that the malware is unique in two ways: first, it uses DNS records to deliver its malicious Python script, increasing the malware’s level of stealth in the network traffic. Second, it doesn’t just steal crypto wallets, it replaces them with its own infected versions.
To avoid falling victim to this malware campaign, Kaspersky recommends using trusted websites, keeping the computer’s operating system updated, and using a security solution on the machine. The researchers also noted that other techniques used by hackers include disguising malware as a legitimate wallet on online stores or fake websites. This activity has become so common that the United States Federal Bureau of Investigation (FBI) issued a warning about it.
The malware is a serious threat to Mac users who own cryptocurrency, as it can result in significant financial losses. Users should be extra cautious, especially with their cryptocurrency wallets. Avoid downloading from suspicious sites and use trusted cybersecurity solutions for better protection.