How exactly does malware infect the system?
According to researchers from Jamf Threat Labs, pirated applications for the macOS operating system distributed on Chinese websites contain malware that allows attackers to gain remote access to infected computers.
These programs include popular applications like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and the Microsoft Remote Desktop remote access utility.
Malicious code integrated into installers files with the DMG extension is configured to communicate with malicious servers. In addition, these apps, which do not have a digital signature from the developer, implement a component called "dylib", which is activated at each launch. It, in turn, loads the backdoor "bd.log" and the loader "fl01. log" from the remote server. This allows you to gain a foothold in the system and install additional modules.
The backdoor is saved to the "/tmp/.test" directory and provides full access to the infected system. Since it is located in the temporary directory "/tmp", it is deleted when the computer is turned off, but it is created again the next time the application is launched.
Meanwhile, the loader is placed in the hidden directory "/Users/Shared/.fseventsd", creates a task for autorun when the system is turned on and sends an HTTP request to the attackers server. Although this server is currently unavailable, initially the loader was intended to save the response to the file "/tmp/.fseventsds" and then run the received malicious code.
According to experts, this malware is similar to the previously discovered Zuru Trojan, which was also distributed through pirated applications on Chinese sites. This is probably a new version of the Zuru Trojan, given the choice of target applications, implementation methods, and hackers infrastructure.
According to researchers from Jamf Threat Labs, pirated applications for the macOS operating system distributed on Chinese websites contain malware that allows attackers to gain remote access to infected computers.
These programs include popular applications like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and the Microsoft Remote Desktop remote access utility.
Malicious code integrated into installers files with the DMG extension is configured to communicate with malicious servers. In addition, these apps, which do not have a digital signature from the developer, implement a component called "dylib", which is activated at each launch. It, in turn, loads the backdoor "bd.log" and the loader "fl01. log" from the remote server. This allows you to gain a foothold in the system and install additional modules.
The backdoor is saved to the "/tmp/.test" directory and provides full access to the infected system. Since it is located in the temporary directory "/tmp", it is deleted when the computer is turned off, but it is created again the next time the application is launched.
Meanwhile, the loader is placed in the hidden directory "/Users/Shared/.fseventsd", creates a task for autorun when the system is turned on and sends an HTTP request to the attackers server. Although this server is currently unavailable, initially the loader was intended to save the response to the file "/tmp/.fseventsds" and then run the received malicious code.
According to experts, this malware is similar to the previously discovered Zuru Trojan, which was also distributed through pirated applications on Chinese sites. This is probably a new version of the Zuru Trojan, given the choice of target applications, implementation methods, and hackers infrastructure.
