New macOS Trojan-Proxy piggybacking on cracked software

Illegally distributed software historically has served as a way to sneak malware onto victims’ devices. Oftentimes, users are not willing to pay for software tools they need, so they go searching the Web for a “free lunch”. They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.

We recently discovered several cracked applications distributed by unauthorized websites and loaded with a Trojan-Proxy. Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods.

Postinstall script

Unlike the original, untampered with, applications typically distributed as a disk image, the infected versions came in the form of .PKG installers. These files are handled by the Installer dedicated utility in macOS, and they can run scripts before and after actual installation. In the examples we gathered, scripts were run only after the application was installed.

Contents of the malware script

A look at the script code reveals that the /Contents/Resources/ directory contains two suspicious files in addition to the cracked application resources: WindowServer and p.plist. The script replaces the ~/Library/Application Support/WindowServer and ~/Library/LaunchAgents/GoogleHelperUpdater.plist files with the two files from the resources folder, and grants administrator permissions to these. As an installer often requests administrator permissions to function, the script run by the installer process inherits those.

The p.plist (or GoogleHelperUpdater.plist) is a configuration file. Its contents suggest that it imitates a Google configuration file and has only one job: auto-starting the WindowServer file, with a path set to ${VAR}, as a system process after the operating system is loaded.

Contents of the p.plist file

WindowServer

WindowServer is a universal format binary file. We have found several versions of the application, with the earliest one uploaded to VirusTotal on April 28, 2023. None of the versions were flagged by any anti-malware vendors as malicious.

After starting, the Trojan creates log files and attempts to obtain a C&C server IP address via DNS-over-HTTPS (DoH), thus making the DNS request indistinguishable from a regular HTTPS request and hiding it from traffic monitoring.

Beginning of application code (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

Example of GET request in C&C IP address function (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

After receiving a response, it establishes a connection with the C&C server at register[.]akamaized[.]ca via WebSocket by sending the application version and expecting a command with a relevant message in return. See below for a list of supported commands.

During our research efforts, we did not receive a server response containing any command but 0x38. An analysis of the program code suggests that the 0x34 command should be accompanied by a message containing the IP address to connect to, the protocol to use and the message to send. The client supports both TCP and UDP connections.

TCP and UDP connection code (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

As mentioned earlier, we have discovered several versions of the Trojan, with a number of distinguishing features:

• Unlike its predecessors, the latest of the versions we know of cannot check its own version or update. The update function is there, but it is not invoked anywhere in the code.
  

  Snippet of the update function (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

• Older versions obtain a C&C IP address by means of a regular DNS request rather than DoH.
• All versions of the Trojan write logs to log.txt and dbg.dmp, without cleaning up after shutdown or providing any means for the operators to analyze the logs. Thus, it is possible to ascertain the presence of the malware in the system both by checking the known paths and searching for key tags across all text files.

Versions targeting other platforms

Besides the macOS application, we discovered several specimens for Android and Windows that connected to the same C&C server. These are also Trojan-Proxies that hide inside cracked software.

Indicators of compromise

MD5:
Trojan-Proxy binaries:
063d956b55da0d18f3f732c2bbd4bc28 — WindowServer
f6d1aa43d40727104f0517c91b117f72 — WindowServer
f40affab8ee804a49893fd1df3710622 — WindowServer

Postinstall Scripts:
2a4fff0b167654edc7f62a747ea13067
0049c3960ab98e11db3872a98078b7a6
ed7fd28bc482d9a822d78f515d18e93c
a0fe67385390bab476d9b716f4097907

Property Lists:
0049c3960ab98e11db3872a98078b7a6 — GoogleHelperUpdater.plist
2a4fff0b167654edc7f62a747ea13067 — GoogleHelperUpdater.plist

PKGs:
7b4b44bf6c3d8eb31f14206c0d76c321 — 4K Image Compressor.pkg
00cbaee9a21dd0ca13ecbeca30ef9b26 — 4K Video Downloader Pro v4.24.3 macOS.pkg
3432f1cb6be21938be87ad0b12202423 — Aiseesoft Mac Data Recovery.pkg
af7b3ac1adc4f4d563c75e8583c0f239 — Aiseesoft Mac Video Converter Ultimate.pkg
ec1698e7900210c642a2772e8d040f8c — allavsoft.pkg
0c369d305e101381dfbd2f277417ca69 — AnyMP4 Android Data Recovery for Mac.pkg
6f58024bfe61351035711f33a2133c40 — AweCleaner.pkg
9b83fc25080d542a9fd71bbe0678e593 — Downie 4.pkg
338f882d4fc0c2cc96eca6edb1d6a6f0 — FonePaw Data Recovery.pkg
b35db7dd042ca92ad7180f6a1e2bdad8 — iNet Network Scanner.pkg
e06b0fef08b711f8ba307d1c13cc1b97 — MacDroid.pkg
7934bede64f6473576e400aefafae2b3 — MacX Video Converter Pro.pkg
0003a4d2207462e24fbc711fa1b84533 — MouseBoost Pro.pkg
b5a334d92906f8a85cc86c582d3232bf — MWeb Pro.pkg
3627fa05f7fb975a4be8392a14474757 — NetShred X.pkg
01675deeb459c0cec6eb6b409698c42a — NetWorker Pro.pkg
d874167ece5528e9e997b60906940afa — Path Finder.pkg
f5cceb3eea65d0f7ae5a6b62d07cb869 — Patternodes.pkg
311b665dad3d6ea77225b5a6529a8f0c — Perfectly Clear Workbench.pkg
0e59a269fa6a34cc6fab8873e79e8011 — Print to PDF.pkg
d9e4e16ec9206ba427d280a955248829 — Project Office X.pkg
206ff97436f3c229502040128bd39bbe — Rocket Typist.pkg
59033b56c99c49a392ed7e653d296375 — Sketch.pkg
d933d00c01d1e0fd2df960e166a1e4b5 — SponsorBlock.pkg
704f2606b0a12e42046c95e530bf5f38 — SystemToolkit.pkg
1920e42d286080cc1ed6272db859e7b5 — TransData.pkg
b056054c992a386144304f1f3470234c — Vellum.pkg
11fc6ec7cdb93f23c9756a788a4204bc — VideoDuke.pkg
a2d5f2c28b2b79cf29942f8bdd847a72 — Wondershare UniConverter 13.pkg
19d3fcff714d7ffa1e325d46f6ddb8b2 — SQLPro Studio.pkg
128068daf917c2df36bccdec97c3b66a — WinX HD Video Converter for Mac.pkg
63086d31bb186abb294a5a737f235098 — Artstudio Pro.pkg
9297a3753ddff6dae048a2a75a42e529 — Magic Sort List.pkg
7f2d204f197e1205f74de603cba40010 — FoneLab Mac Data Retriever.pkg
98c185a785f2ac075849336001bc5b9c — Apeaksoft Video Converter Ultimate for Mac.pkg

Android samples:
d605b5673ca89a767662a4a83662eaa0 — s276.apk
fb3c42ca1ff0ba96ac146c1672357994 — Swipis_v2.6.1[Mobile].apk

Windows samples:
a408e30bbd449367291366d337d54f82 — wsclient.exe

URL:
register[.]akamaized[.]ca:6101/strvn