Proxy Trojan Targets macOS Users for Traffic Redirection

Apple users who end up with the Trojan on their machines face a number of bad outcomes, including potential criminal liability.

3 Min Read
A red apple with an arrow through it
Source: Leonello Calvetti via Alamy Stock Photo

A sophisticated proxy Trojan targeting macOS has been discovered and is being distributed through pirated versions of genuine business software, including editing tools, data recovery software, and network scanning applications.

The Trojan operates by masquerading as a legitimate program during installation, then subsequently creating a hidden proxy server within the user's system, according to a Kaspersky report this week. This covert server enables threat actors to maintain a backdoor on the system but also redirect network traffic through the compromised device.

Sergey Puzan, cybersecurity expert at Kaspersky, explains that the presence of such a proxy Trojan can have consequences of varying severity for victims. For instance, if the proxy is used to route the traffic of other users, perhaps by unscrupulous VPNs, that can significantly load up the user's network, thereby slowing down its operation or using up any set traffic limit.

Other possible scenarios could see malicious actors using victims' computers to increase advertising views; organizing a botnet for the purpose of further DDoS attacks on various sites, organizations, or other users; or for illegal activities, such as buying weapons, drugs, or distributing malicious information or other malicious programs.

In the case of illegal activities on the Internet, there are significant direct risks for the user, since any such action will be performed from that user's IP address — and that means on the user's behalf.

Using DoH to Blend In

On the technical front, Kaspersky's report noted that in addition to the macOS version, specimens for Android and Windows were discovered connected to the same command-and-control (C2) server. For all three, the researchers highlighted the use of DNS-over-HTTPS (DoH) to conceal C2 communications from traffic-monitoring tools.

Specifically, DoH can allow it to bypass primitive security solutions based only on the analysis of DNS requests, since the request will look like a regular HTTPS request to a server that implements DoH.

"The main protection strategy for ordinary users, of course, will be to install a security solution, such as an antivirus with network traffic analysis functions," Puzan says. "It is enough to monitor the movement of traffic and changes in the file system."

He adds, "In this case, you can add the IP address of the C2 server to the blacklist, then the Trojan will not be able to connect to the server and you will immediately detect its presence in the system."

The proxy is also spread via cracked applications from unauthorized websites, targeting users seeking free software tools and exposing them to potential malware installations — so a simple way to avoid infection is to avoid downloading pirated software.

Mac Users: Constant Targets for Botnets

Ken Dunham, director of cyber threat at Qualys, notes that Mac users might have a misperception that they’re not in the sights of cybercriminals, but the opposite is true.

For instance, Apple fans have long been targeted by botnet actors, due to the Mac layer for users and BSD codebase layer underneath, which can be silently abused by malicious users that compromise an endpoint.

"For years, many Mac users felt invulnerable to attack, due to the large volume of attacks seen in the Windows world," Dunham explains. "While the attack surface of Windows is clearly much larger, all operating systems and software attack surfaces are under attack in 2023, where attackers leave no stone unturned."  

Specific data points bear this out: In October, Accenture published a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 — with the trend likely to continue.


About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights