Kaspersky recently uncovered the most recent Trojan Proxy malware campaign, revealing that the earliest submission of the payload on VirusTotal can be traced back to April 28, 2023.
Cybercriminals have typically been keen on exploiting macOS applications to target Mac users, and this time, they might just have hit the jackpot. According to the latest research from cybersecurity researchers at Kaspersky, threat actors are deploying a novel Trojan Proxy malware in cracked applications, distributed via unauthorized websites. The plan behind this operation is to compromise Mac devices.
Researchers observed that the campaign’s earliest payload submission on VirusTotal was on April 28, 2023. Further probing revealed that the malware is disguised within popular copyrighted macOS software available on warez sites.
For your information, Warez sites are websites that offer copyrighted digital content, such as software, movies, music, ebooks, and games, for free or at a significantly lower price than the original product.
The malware allows attackers to build a proxy server network to commit crimes or make profits. When installed, this malware converts computers into anonymous traffic-forwarding terminals, allowing malware operators to perform malicious activities, such as phishing, hacking, or conducting illegal transactions.
“Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods” researchers explained in a blog post.
Infected applications appear as legitimate cracked software, distributed as .PKG installers rather than the usual disk images. A post-installation script replaces two system files with malicious versions from the app resources and grants them administration permissions. A fake Google configuration file (p.plist) automatically starts the WindowServer malware file as a system process.
This binary file was uploaded on VirusTotal on April 28 but wasn’t recognized as malware then. The malware utilizes DNS-over-HTTPS (DoH) to get the C2 server IP address and connects via WebSockets, receiving commands for the various malicious activities the Trojan can perform and sending information.
However, during their research, investigators didn’t receive a server response beyond the 0x38 command and noted that the client supported TCP and UDP connections. Earlier versions relied on traditional DNS requests instead of DoH for C&C server acquisition.
It is worth noting that selling access to these proxies is a highly profitable business, encompassing massive botnets. Kaspersky researchers noted that Mac devices aren’t immune to this deep-rooted threat, which is why this campaign works.
Attackers are exploiting the popularity of cracked versions of copyrighted software, specifically commercial software/programs, as users prefer to avoid paying for premium software.
Around 35 instances of popular image editing, data recovery, video compression and editing, and network scanning tools-related apps laced with Trojan Proxy were identified by Kaspersky.
Beyond macOS, researchers have identified Android and Windows versions connecting to the same C&C server. This means a larger distribution network for cracked software laced with Trojan Proxy malware could be at work.
Menlo Security’s chief security architect, Lionel Litty, shared with Hackread.com that using DoH and WebSocket indicates that threat actors are focusing more on evading network-based detection mechanisms.
“The use of DoH and WebSocket shows that more sophisticated bad actors are focused on evading network-based detection mechanisms an enterprise may have deployed,” Litty explained.
“DoH will often mean the malware can evade detection from products that look at DNS traffic for IOCs since DNS traffic is now wrapped within HTTPS connections that may not be inspected or that are inspected by solutions that do not understand DoH semantics,” Litty added.
“Likewise, network devices that inspect HTTPS traffic may not understand WebSocket semantics and may fail to run signature-based detections that target the payloads of C&C traffic used by the malware” Litty warned.