MacOS knock-offs are being put up on Chinese pirating sites to lure victims and compromise their devices, cybersecurity firm Jamf Threat Labs warns.
The analyst today lifted the lid on its research into pirated versions of the popular Apple computer operating system that have “been modified to communicate with attacker infrastructure.”
“These applications are being hosted on Chinese pirating websites in order to gain victims,” it added. “Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”
These payloads deliver malicious programs that open up “backdoors” in a target machine, allowing a threat actor to hack into a device and take it over or extract valuable sensitive data from it.
Chinese victims targeted
Jamf believes the malware campaign is primarily aimed at potential victims in China, based on analysis of the pirating websites and internet protocol addresses.
The campaign appears to converge on an executable file called .fseventsd – Jamf says the full stop or period at the beginning of the name allowed the malware to initially go undetected on the likes of VirusTotal.
However, further investigation revealed that it was “not signed by Apple” and had been originally concealed in a larger file when it was first uploaded.
“After looking for similar files on VirusTotal, we discovered three pirated applications that had all been backdoored with the same malware,” added Jamf.
Casting its net wider, the analyst then searched for the same apps on the internet and discovered that many were being hosted on the Chinese pirating website macyy[.]cn.
Tempter and tempted
Of course, one major benefit derived from this type of campaign is that the victims themselves are also breaking the law by seeking out pirate software – and are therefore less likely to heed security warnings, which are commonplace in such circumstances.
“One of the major difficulties in dealing with users who install pirated applications is that they expect to see security alerts, as the software isn’t legitimate,” said Jamf. “This expectation leaves them willing to skip past any security warning prompts built into the operating systems.”
Jamf further believes that this campaign is redolent of the earlier ZuRu malware first spotted in 2021 in pirated versions of iTerm, SecureCRT, Navicat Premium, and Microsoft Remote Desktop.
More from Cybernews:
Subscribe to our newsletter