The recent article from Kaspersky highlights the discovery of a new Trojan Proxy malware campaign targeting Mac users through cracked applications distributed via unauthorised websites. This malware was first submitted to VirusTotal on April 28, 2023, and operates by disguising itself within popular copyrighted macOS software found on warez sites—sites offering copyrighted digital content for free or at lower prices.

Once installed, the malware converts infected computers into anonymous traffic-forwarding terminals, enabling cybercriminals to perform various malicious activities like phishing, hacking, and conducting illegal transactions. The malware allows the attackers to build a proxy server network for criminal purposes or monetary gain.

The infected applications pose as legitimate cracked software, using .PKG installers instead of regular disk images. After installation, a script replaces system files with malicious versions and grants them administration permissions. A fake Google configuration file initiates the malware as a system process.

The malware utilises DNS-over-HTTPS (DoH) to connect to the command-and-control (C&C) server and receives commands via WebSockets for various malicious activities. Despite attempts by researchers, the server responded only to a limited command, indicating potential further developments by threat actors.

Kaspersky identified around 35 instances of popular software applications infected with Trojan Proxy, including image editing, data recovery, video editing, and network scanning tools. Notably, similar versions for Android and Windows were also detected, suggesting a wider distribution network for cracked software containing this malware.

This campaign demonstrates the evolution of cyber threats, employing sophisticated techniques like DoH and WebSocket to evade network-based detection mechanisms. Lionel Litty from Menlo Security warns that these techniques allow the malware to avoid detection from solutions that inspect DNS traffic or HTTPS connections inadequately.

Here are the key points:

Discovery of New Trojan Proxy Malware: Kaspersky uncovered a new Trojan Proxy malware campaign targeting Mac devices. Cybercriminals are distributing this malware through cracked applications obtained from unauthorised websites.

Payload Origin and Distribution: The earliest submission of the malware to VirusTotal dates back to April 28, 2023. It is hidden within popular copyrighted macOS software available on warez sites, which offer digital content for free or at significantly reduced prices.

Malware Functionality: Once installed, the malware converts infected computers into anonymous traffic-forwarding terminals. This allows cybercriminals to conduct malicious activities like phishing, hacking, and illegal transactions. It enables the creation of a proxy server network for criminal operations or financial gain.

Installation and Execution: Infected applications appear as legitimate cracked software, using .PKG installers instead of typical disk images. Upon installation, the malware replaces system files with malicious versions, gaining administration permissions. A fake Google configuration file initiates the malware as a system process.

Communication and Command Handling: The malware uses DNS-over-HTTPS (DoH) and WebSockets to connect to a command-and-control (C&C) server. It receives commands for various malicious activities. Researchers' attempts to communicate with the server revealed limited responses, indicating potential ongoing development by threat actors.

Impacted Software and Platforms: Kaspersky identified about 35 instances of popular software applications infected with Trojan Proxy. These include image editing, data recovery, video editing, and network scanning tools. Similar malware versions for Android and Windows were also detected, suggesting a broader distribution network.

Sophisticated Evasion Techniques: The use of DoH and WebSocket shows an evolution in cyber threats, aiming to evade network-based detection mechanisms. These techniques help the malware avoid detection from solutions that inadequately inspect DNS traffic or HTTPS connections.

Warning and Recommendations: 

1. 
   Avoid Downloading Cracked Software: Refrain from downloading or installing cracked or pirated software from unofficial or questionable websites. These versions often hide malware, including Trojan Proxy, which can compromise your device.
2. 
   Use Official Sources: Obtain software and applications only from official and legitimate sources, such as the Apple App Store or authorised vendors. These platforms undergo security checks to ensure the safety of the software.
3. 
   Keep Software Updated: Regularly update your operating system and applications to their latest versions. Updates often contain security patches that protect against known vulnerabilities exploited by malware.
4. 
   Use Security Software: Install reputable antivirus or anti-malware software on your Mac. Ensure it is regularly updated and performs scheduled scans to detect and remove any potential threats.
5. 
   Exercise Caution with Email Attachments and Links: Be cautious when opening email attachments or clicking on links, especially if they're from unknown or suspicious sources. These could lead to the installation of malware onto your system.
6. 
   Enable Firewall and Security Settings: Activate the built-in firewall and security settings on your Mac. This helps provide an additional layer of protection against unauthorised access and malware.
7. 
   Backup Data Regularly: Create regular backups of your important data on an external drive or cloud storage. In case of a malware infection, having backups ensures you can recover your data without paying a ransom or losing valuable information.
8. 
   Educate Yourself and Stay Informed: Stay updated on the latest cybersecurity threats and best practices. Regularly check reputable sources for news and updates on malware campaigns and cybersecurity measures.
9. 
   Practise Safe Internet Habits: Exercise caution while browsing the internet. Avoid visiting suspicious websites and clicking on pop-ups or advertisements from unknown sources.
10. 
    Enable Two-Factor Authentication (2FA): Enable 2FA whenever possible for your online accounts. This adds an extra layer of security, making it more difficult for cybercriminals to access your accounts even if they obtain your credentials.

By following these best practices, users can significantly reduce the risk of falling victim to the Trojan Proxy malware campaign or similar threats targeting Mac devices.

Source and further reading:

Ahmed, D. (2023, October 11). VirusTotal reveals apps most exploited by hackers to spread malware. Hackread - Latest Cybersecurity News, Press Releases & Technology Today. https://www.hackread.com/virustotal-apps-exploited-hackers-spread-malware/

Puzan, S. (2023, December 5). New macOS Trojan-Proxy piggybacking on cracked software. Securelist. https://securelist.com/trojan-proxy-for-macos/111325/

Simon, M. (2023, December 4). New proxy trojan malware shows why you shouldn’t pirate Mac software. Macworld. https://www.macworld.com/article/2161932/macos-proxy-trojan-malware-pkg-bundle-pirated-apps.html