Backdoor Activator Malware Running Rife Through Torrents of macOS Apps

MITRE Techniques

• [T1189] Drive-by Compromise – Initial delivery via torrent link serving a disk image with patcher that infects users. ‘Initial delivery method is via a torrent link which serves a disk image containing two applications: An apparently ‘uncracked’ and unusable version of the targeted software title, and an ‘Activator’ app that patches the software to make it usable.’
• [T1547.001] Boot or Logon Autostart: Launch Agent – The Activator installs a LaunchAgent at the path described, using a runtime UUID. ‘The Activator.app contains code to install a LaunchAgent at the following path, where the %@ variable is replaced with a UUID string generated at runtime.’
• [T1562.001] Impair Defenses: Disable Gatekeeper – To allow unsigned apps, it disables Gatekeeper. ‘On launching the Activator.app, victims are asked for an administrator password. This is used to turn off Gatekeeper settings via the spctl master-disable command and to allow apps sourced from ‘Anywhere’ to now run on the device.’
• [T1059.006] Python – The malware uses embedded Python to perform actions, including killing the Notification Center. ‘The malware uses embedded Python code to kill the Notification Center.’
• [T1105] Ingress Tool Transfer – It retrieves a remote Python script and checks execution via Defaults before running the script. ‘Prior to executing the Python script and installing the LaunchAgent, the tool attempts to retrieve a remote Python script. If the retrieval is successful, it then leverages the Apple defaults API to determine whether it has ran the same script before.’
• [T1071.004] Application Layer Protocol: DNS – DNS TXT records are used to deliver base64-encoded messages that decrypt in memory to Python code for the next stage. ‘The malware uses a novel technique of retrieving base64-encoded messages from the snippets contained in the DNS responses. These are then decrypted in-memory and were seen to contain a Python script which reached out to a further remote server to download the next stage.’
• [T1027.001] Obfuscated/Compressed Files and Information – Base64-encoded messages are decrypted in memory to fetch the next stage. ‘base64-encoded messages from the DNS responses… decrypted in-memory and were seen to contain a Python script…’