Software pirates are unknowingly infecting themselves by downloading legitimate Mac software applications from Pirate Bay that have been trojanized with malware. An instance of this is the use of XMRig cryptojacking malware, but this method could also be employed for other types of malware.
Trend Micro and Apple security firm Jamf have both detected trojanized Mac software applications that have been uploaded to Pirate Bay. The first instance, discovered by Trend Micro in February 2022, involved an Apple image format called DMG that contained a Mach-O sample. A more recent instance, discovered by Jamf, involved the video editing software Final Cut Pro and was using i2p (Invisible Internet Project) for outbound communication. Jamf researchers then looked to a Pirate Bay mirror to seek torrents of Final Cut Pro and discovered a series of Apple Mac applications uploaded by wtfisthat34698409672.
The researchers discovered three generations of the malware. The first generation is a fairly standard implementation of malware that is still coming out of the pirated application. The second generation attempts greater stealth by having no hidden executables and having the malware open with the application and stop operating when the app is closed. The third generation attempts even greater stealth by having all components base64 encoded and compressed with LZMA.
An example of the malware’s stealth activity can be seen in a script that monitors the activity of Activity Monitor. If it finds Activity Monitor, it immediately terminates all of its malicious processes. Apple is aware of this type of problem and has repeatedly improved its operating system to prevent the use of pirated software. But, this particular distribution has been largely undetected since at least 2019.
In conclusion, legitimate Mac software applications are being trojanized with malware and uploaded to Pirate Bay, allowing software pirates to unknowingly infect themselves. This example used the cryptojacking XMRig, but it could easily be used to deliver other malware. Apple is aware of this problem and has taken steps to prevent the use of pirated software, but the malware is still largely undetected.
Key Points:
- Legitimate Mac software applications are being trojanized with malware and uploaded to Pirate Bay.
- Trend Micro and Apple security firm Jamf have both detected trojanized Mac software applications.
- The researchers discovered three generations of the malware.
- An example of the malware’s stealth activity can be seen in a script that monitors the activity of Activity Monitor.
- Apple is aware of this problem and has taken steps to prevent the use of pirated software, but the malware is still largely undetected.