Dec 08, 2023NewsroomEndpoint Security / Malware

Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware.

“Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods,” Kaspersky security researcher Sergey Puzan said.

The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools.

The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign.


Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are delivered in the form of .PKG installers, which come equipped with a post-install script that activates the malicious behavior post installation.

“As an installer often requests administrator permissions to function, the script run by the installer process inherits those,” Puzan noted.

The end goal of the campaign is to launch the Trojan-Proxy, which masks itself as the WindowServer process on macOS to evade detection. WindowServer is a core system process responsible for window management and rendering the graphical user interface (GUI) of applications.

Upon start, it attempts to obtain the IP address of the command-and-control (C2) server to connect to via DNS-over-HTTPS (DoH) by encrypting the DNS requests and responses using the HTTPS protocol.


Trojan-Proxy subsequently establishes contact with the C2 server and awaits further instructions, including processing incoming messages to parse the IP address to connect to, the protocol to use, and the message to send, signaling that its ability to act as a proxy via TCP or UDP to redirect traffic through the infected host.

Kaspersky said it found samples of the malware uploaded to the VirusTotal scanning engine as early as April 28, 2023. To mitigate such threats, users are recommended to avoid downloading software from untrusted sources.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.