New malware for macOS makes it easier to steal cryptocurrencies

The Kaspersky researchers have discovered an unconventional type of macOS malware. This previously unknown malware family is discreetly distributed via pirated apps and targets macOS users’ cryptocurrencies stored in digital wallets.

This crypto-Trojan is unique in two ways: first, uses DNS records to run a malicious Python script. On another place, not only steals digital wallets, but also replaces the wallet app with an infected version. This allows you to steal the password used to access cryptocurrencies stored in wallets.

The malware targets versions 13.6 and macOS, which indicates a focus on users newer operating systems, both with Intel and Apple Silicon processors. The compromised disk images contain the targeted activator and application. The activator, seemingly benign at first glance, activates the compromised application after entering the user’s password.
Attackers use pre-prepared versions of the application, manipulating executable files render them inoperative until the user runs the activator. This tactic ensures that the user activates the compromised application without knowing it.

Once activated, the malware executes its main payload obtaining the DNS TXT record for the malicious domain and decrypting it Python script of the same. The script runs endlessly trying to download the next stage of the infection chain, which is also a Python script.

The purpose of the following load is to execute arbitrary commands received from the server. Although no commands were received during the investigation and the backdoor was periodically updated, it is clear that the malware campaign is still is under development. The code suggests that the commands are probably scripts Python coded.

In addition to the mentioned functionalities, the script contains two significant features related to the apple-analyzer domain[.]com. Both functions are intended to check the presence of security applications. crypto wallets and replace them with downloaded malicious versions specified domains. This tactic has been observed to target both Bitcoin and Exodus wallets.

“MacOS malware associated with pirated software indicates serious risks. Cybercriminals use pirated applications to easily access users’ computers and get Administrative powers asking them to Enter your password. The creators show unusual creativity by hiding a Python script in the DNS server registry, increasing the level of stealth of the malware in network traffic. Users should be very careful, especially with their cryptocurrency wallets. Avoid downloading from dubious sites and use trusted cyber security solutions for better protection,” he says. Sergey Puzan, security researcher at Kaspersky.

To stay safe from Trojans and protect your crypto assets, Kaspersky researchers recommend implementing the following measures:
● It is safer to download apps from official stores, such as Apple App Store only. Applications of these markets are not 100% safe, but at least they are reviewed by store representatives, which indicates some filtering system: not all apps can enter these stores.
● Install a reliable security solution and follow their recommendations. These solutions will solve most problems problems automatically and will notify you any problems they discovered.
● Update your system operating system and important applications as updates become available. Many security issues can be resolved by installing updated software versions.
● Secure your seed phrase: When setting up a hardware wallet, be sure to write down and store your seed phrase securely. A reliable security solution, such as Kaspersky Premium, will protect yourswith cryptoassets stored on your mobile device or computer.
● Use a strong password: Avoid using passwords that are easy to guess or reusing passwords from other accounts. Govern passwords efficiently and securelyconsider using Kaspersky Password Manager.