Kaspersky Discovers Proxy macOS Trojan Linked to Pirated Software Distribution

Kaspersky has identified a sophisticated proxy Trojan designed to compromise the macOS operating system. This latest threat is propagated through the distribution of cracked (pirated) versions of legitimate software, posing a serious risk to users who seek alternative means of acquiring applications.

The proxy Trojan operates by disguising itself as a legitimate program during installation. Once infiltrated into a user’s system, it secretly establishes a covert proxy server, allowing threat actors to reroute network traffic through the compromised device. The Trojan’s distribution via PKG installers, rather than standard disk images, allows it to perform arbitrary pre-and-post-installation actions. 

Expert analysis reveals the Trojan’s use of DNS-over-HTTPS (DoH) within the WindowServer file, concealing communication with the Command and Control (C&C) server. This protocol safeguards DNS queries, heightening its stealth capabilities.  

Moreover, the Trojan establishes a connection with the C&C server using the WebSocket protocol. This choice of communication protocol is not usual for proxy Trojans, which distinguishes this case from others. The use of WebSocket allows the Trojan to receive real-time commands from threat actors, thereby adapting to changing circumstances and evading detection more effectively.  

In addition to the macOS applications, researchers also identified several samples designed for Android and Windows platforms. These versions also function as proxy Trojans, distributed alongside pirated software. 

“Cybercriminals historically exploit users seeking cost-free software through malware-laden cracked versions. Our new discovery underscores this threat, especially considering the proxy Trojan demonstrates an advanced ability to conceal its activities. To safeguard against trojans, macOS users should rely on robust security software and be cautious with downloads – stick to official sources, avoiding cracked software,” says Sergey Puzan, a security researcher at Kaspersky. 

To learn more about the proxy Trojan for macOS on Securelist.com

To stay safe from Trojans and other malware, Kaspersky researchers recommend implementing the following measures:

• Keep your main e-mail address and phone number private. A good option is to create an additional e-mail account and purchase an additional SIM card to use for online shopping and other situations that require sharing your data with strangers.

• It’s safer to download your apps only from official stores like Apple App Store, Google Play or Amazon Appstore. Apps from these markets are not 100% failsafe, but at least they get checked by shop representatives and there is some filtration system — not every app can get into these stores.

• Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software

• Set up your social networks for better privacy. You can choose whether your profile is searchable, and whether other people can tag you, write you messages, or otherwise disturb you. If you tweak your privacy settings on any social networks you use, you won’t be bothered by spammers and scammers (which abound on every social network) there.