The widespread adoption of cryptocurrencies in the fast-growing cryptocurrency industry is attracting not only legitimate users but also cybercriminals. exploit the vulnerability.
Recent research from cybersecurity firm Kaspersky has uncovered sophisticated malware attacks targeting Macbook users in the cryptocurrency space.
Collect sensitive data from infected Mac systems
Kaspersky Lab Expert discovery The attackers repackaged the pre-cracked application into a package (PKG) file (a type of file format commonly used on Macbooks) and included a Trojan proxy and post-installation script.
Applications containing malicious code were primarily distributed through pirated software channels. When a user attempts to install a cracked application, the infection process begins without their knowledge.
to fool the userThe infected installation package displayed a window with installation instructions, telling it to copy applications to the /Applications/ directory and launch an application called “Activator”.
Although it may seem simple at first glance, Activator effectively gave the malware administrator privileges by prompting the user to enter a password.
When executed, the malware checked to see if there was a copy of the programming language installed on the system. python 3 If it wasn’t there, I installed the Python 3 version I copied earlier from my Macbook operating system directory.
The malware then “patched” the downloaded apps by comparing the modified executable to sequences hardcoded inside the Activator. If a match is found, the malware removes the initial bytes, making it appear to the user that the application has been cracked and is working properly. However, as the malware launched its main payload, the attacker’s true intentions were revealed.
Infected samples established communication with a command and control (C2) server by generating a unique Uniform Resource Locator (URL), or web address, through a combination of hardcoded words and a random three-level domain name.
This method allowed the malware to hide its activities within legitimate DNS server traffic and ensure payload download.
that much decrypted script Information obtained from C2 servers, which are remote servers or infrastructure used by cybercriminals to control and manage malware or botnet operations, revealed that the malware operates by executing arbitrary commands received from the server. These commands were often passed as Base64-encoded Python scripts.
The malware also collected sensitive information from the infected system, including operating system version, user directory, list of installed applications, CPU type, and external IP address. The collected data was sent back to the server.
Malware campaign targets cryptocurrency wallet applications
While analyzing the malware campaign, Kaspersky discovered that the C2 server did not return any commands during the investigation and eventually stopped responding.
However, a subsequent attempt to download the Step 3 Python script uncovered an update to the script. metadataThis represents continuous development and adaptation by malware operators.
The malware also included the ability to target popular cryptocurrency wallet applications, including Exodus and Bitcoin-Qt.
When these applications were detected on an infected system, the malware attempted to replace them with infected versions obtained from another host, apple-analyzer (.)com.
Infected cryptocurrency wallets contain mechanisms to steal wallet unlock passwords and secret recovery phrases from unsuspecting users.
The cybersecurity company emphasized that malicious actors continue to distribute cracked applications. To access your computer.
An attacker can easily escalate privileges by abusing user trust during software installation by prompting the user for a password. Kaspersky also highlighted the techniques used by the malware campaign, including storing Python scripts within domain TXT records on DNS servers, demonstrating the attackers’ “ingenuity”.
Featured image from Shutterstock, chart from TradingView.com