Stealthy New macOS Backdoor Hides on Chinese Websites

Modified malware from the Khepri open source project that shares similarities with the ZuRu data stealer harvests data and drops additional payloads.

A green door to a tan brick house with a green-leafed tree and a black streetlight behind it
Source: Age Foto Stock via Alamy Stock Photo

A sneaky macOS backdoor that allows attackers to remotely control infected machines has been hiding in trojanized applications for the platform that are hosted on Chinese websites. The ".fseventsd" binary bears some resemblance to known malware baddies, but adds a new layer of stealth that sets it apart.

Researchers from Jamf Threat Labs discovered the series of poisoned apps being hosted on the Chinese site macyy[.]cn; they have been modified to communicate to attacker infrastructure, though "it's highly likely they're being hosted on other application-pirating websites as well," Jaron Bradley, director at Jamf Threat, tells Dark Reading.

"These applications are being hosted on Chinese pirating websites in order to gain victims," he wrote in a blog post about the research published Jan. 18. "Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim's machine."

Jamf Threat Labs has established that the malware behaves like malicious code from the Khepri opensource project, though it appears to be modified "to try and make the malware blend in with other processes on the operating system," Bradley says. It does this by renaming itself in case anyone encounters the malware while trying to investigate system processes.

Otherwise the functionality acts like the Khepri backdoor, allowing the attacker to collect information about the system, download and upload files if the user has granted the permissions, and open a remote shell on the computer, he says.

Similar to ZuRu Malware

The researchers initially discovered the malware in the form of an executable named .fseventsd that they noticed while triaging various threat alerts. The executable was notable for being hidden — evidenced by its name starting with a period — and also for using the name of a process built into the OS. It also was not blocked by Apple nor at the time was it flagged as malicious on VirusTotal.

Using VirusTotal, the researchers determined that the .fseventsd binary was originally uploaded as part of a greater DMG file that also was backdoored on three other pirated apps.

An Internet search traced the apps to the Chinese website, which also provides links to many other pirated applications. "We also discovered two additional DMGs trojanized in the same manner that had not yet made their way to VirusTotal," Bradley added.

A deeper analysis of the file found that the malware hidden inside the apps executes three malicious activities. The first is a malicious dylib, a library loaded by the application that acts as a dropper executing each time the application is opened. That library subsequently downloads the following two malicious processes: a backdoor binary downloaded that uses the Khepri open source command-and-control (C2) and post-exploitation tool, and a downloader that sets up persistence and downloads additional payloads.

The researchers found that the malware shares a few similarities with the ZuRu malware, a previously identified data-stealing malware for macOS that spreads via sponsored search results on Baidu and installs the Cobalt Strike agent on compromised systems.

While the final payloads are different, the two malwares share similarities in the applications that they compromise, the dylib techniques that both use, and the domains that they use for infrastructure, Bradley says.

"However, the final malware that is being dropped is very different from the original ZuRu so it's hard to tell if it's directly related," he says.

macOS at Risk

Overall, the campaign demonstrates once again the existing risk for the macOS platform from pirated applications, but more importantly outlines the increased frequency of attackers using a malicious library placed within a modified application to compromise users.

"This is a technique that often makes detection and analysis a little more difficult," Bradley tells Dark Reading. "This shows that malware authors are getting more familiar with the macOS operating system and are taking the time to get more stealthy."

To protect the platform, one key mistake macOS enterprises and users should avoid making is the assumption that "all Macs are inherently safe," Bradley says. Indeed, there has been a notable and increased targeting of the platform by attackers in the last few years, who are now even creating custom macOS malware including infostealers that can crack Apple's built-in software protections.

Bradley advised that enterprises use software that both detects and blocks threats on macOS as well as prevents users from visiting websites that are known to be used for hosting pirated software. Further, all macOS users are strongly discouraged from downloading pirated apps, whether at home, while using a corporate VPN, or in the office.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights