The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan.
Attack details
The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain.
While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password.
The malware uses the ‘AuthorizationExecuteWithPrivileges’ method to execute a ‘tool’ executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be “app patching.”
The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device.
Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.
This way, the hacker
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.