Research Saturday 1.27.24
Ep 314 | 1.27.24

Hooked on pirated macOS applications.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Jaron Bradley: We had a detection go off based on one of these static detections. So we saw a file that was, it was not signed by a developer. Which on the Apple platform these days is pretty strange. Essentially, we noticed that it also had a file name that it was assigning that kind of mimicked one of Apple's built-in processes. And so that kind of set this off for us as pretty weird and something we wanted to look more into.

Dave Bittner: That's Jaron Bradley, he's a director at Jamf Threat labs. The research we're discussing today is titled "Jamf Threat Labs discovers new malware embedded in pirated applications." [ Music ] Well let's walk through it together here. I mean, what is fundamentally at play here and how would somebody find themselves falling victim to this?

Jaron Bradley: Yeah, definitely. So after kind of tracking -- taking this, what we discovered to be malware, and then tracking it backwards to figuring it out -- or, sorry. To figuring out how it was -- how it reached the databases we were looking at, essentially we saw that it was uploaded from a DMG file, which usually hold applications. Generally how, you know, MacOS applications are downloaded or distributed is through DMG files. And when we went and grabbed the DMG file that was responsible, you know, we noticed that it had an app name and icons and everything that looked very, very much like apps that already existed. And therefore, you know, kind of clued us into oh, these are -- or this initial sample is probably very much, it's very likely it's a pirated application or cracked application. And we kept pulling at that thread and looking around, and then sure enough, on the internet, on some different pirating sites, on some different pirating sites, we found multiple apps that kind of had the same malware embedded within it.

Dave Bittner: Are there particular apps that they're targeting here? Are they going after a certain category?

Jaron Bradley: They mostly seem to be applications that were popular in some sense or that many power users might even want to use. For instance, database management tools, shell applications, or you know, alternatives to the terminal, remote desktop tools. A lot of power user type tools.

Dave Bittner: So let's say that I'm someone who's, you know, looking to get one of these pirated apps. I'm looking to save a few bucks for me or goodness forbid, my company, and I download one of these DMG files. And I try to install it or run it, I mean, what happens next?

Jaron Bradley: Yeah. In the background, you're essentially compromised. You're going to get some pop-ups from the operating system, right? Some warnings that say hey, like, we can't verify the legitimacy of this file. But usually, when your users are downloading pirating applications, they're kind of expecting to see those pop-ups, right? They're expecting to have to click through a couple like warnings when installing pirated or cracked applications. So unfortunately, usually those warnings just kind of get blown right through. You get a working application most the time, so long as these programs were cracked in the manner that could still be successful. But in the background, outside of the app just working, which is of course presented to the user, there's a whole slew of things being done in the background that you wouldn't get out of the legitimate application.

Dave Bittner: Well let's run through those together. What sort of capabilities do they have here?


Jaron Bradley: Yeah. So looking into this malware, what we noticed was the Kepri backdoor being downloaded. Kepri's an open source project on GitHub. So anybody with some, you know, some coding or GitHub experience could probably download that and compile it relatively easy. And it's very likely people are, people are doing that. So, it's a backdoor with built in functionality. All you really have to do is host a kind of server. And then manage to get one of your -- one of these clients that you've built with Kepri embedded in your malware or convince a user to run it somehow, and these pirated apps were kind of hidden away to do that for whoever the attacker is on the other side.

Dave Bittner: What do they seem to be after here? What's the information they're trying to gather?

Jaron Bradley: Yeah, so it's hard to say exactly. There is a single payload part of the malware, one of the stages. The attacker had taken the command and control portion of that down, where the final piece of malware was being hosted. That could be anything. We did note some -- with this malware, some similarities to the ZuRu malware, which was definitely interested in stealing files. Basically information it could get off your system about you, maybe your passwords, your keychain, stuff like that. But without knowing what that final payload was, it's likely that was a big piece of maybe the final objectives. But outside of those final objectives, there was a hole, as we said, the whole Kepri backdoor install would still allow the attacker to maintain a connection to the system where essentially, their objectives could be carried out through that backdoor. Which had functionality for downloading files, uploading files to the victim, executing additional payloads or additional binaries that they might upload to that system, things like that.

Dave Bittner: Well help me understand here, I mean, is the malware embedded in the pirated software itself? Or is it installed separately and running, you know, surreptitiously behind the scenes?

Jaron Bradley: Yeah. It's behind the scenes. The way it's installed is actually pretty clever on the attacker's side. For those that maybe haven't been in the MacOS world of security for super long, essentially, a lot of malware that we've seen to date has been, you know, even up until, I guess even up until maybe a year or two ago, there's just been a lot of malware that is an app, it convinces users it's legitimate, and it does some, you know, it does some malicious stuff. Not a lot of creativity in terms of social engineering or getting -- being really convincing for users. But as of late, we've seen more stuff using techniques like we saw this malware using. And what that is, is basically someone has taken the application and they've added what we've called a load command to the application binary itself. And what that does is basically, it's when the attacker goes in and they manually modify some of the low level components of the application to import an additional piece of code that is packaged and sitting inside the application bundle. And it does that without the user really being able to tell. Unless you know how to do some reverse engineering, you know how to use some different, you know, sleuthing tools, unexecutables, it does this technique that we call like a dylib sideload essentially. And within that malicious library that it has modified, or within that library is where all the malicious code is held, that kicks off the malware. So essentially what that does is any time the user opens the application, the malicious library is loaded on the side and handles everything in the background. So yeah. All of that's being done in the background. Persistence is being set up. Additional persistence so that when you -- there's two ways it persists. A, you open the app. Right? Any time you open the app, the malware does a little check and it runs itself again. B, it sets up a launch agent that will essentially also run any time the computer starts the system. So there's two ways for the malware to run in the background, even if you're not using the app it's still possible. [ Music ]

Dave Bittner: And would there be any indication to the user that anything was amiss?

Jaron Bradley: No, there wouldn't be in this case. You could see apps possibly requesting permissions to do things. For instance, these pirated apps might be -- something might pop up and say "Microsoft Remote Desktop wants access to your files," right? Like MacOS has some built-in features that will keep apps from accessing certain files until the user approves that. You might all of a sudden see some of these cracked apps requesting permissions to do things. But again, most users aren't going to think much of that given that they're pirated apps and they kind of expect some of these warnings, right?

Dave Bittner: Yeah. So I mean obviously, when you talk about protecting yourself against these sorts of things, obviously don't download and install pirated apps. But what about at an organizational level? You know, if I'm running my business and I want to protect myself against, you know, that seemingly well-meaning user who's maybe trying to try something out or save the company some money or whatever, is there anything I can do on an organizational level to try to protect my installed Mac systems from this sort of thing?

Jaron Bradley: Yeah, this is a great question. And like you're saying, obviously, the hands-down no-brainer like how should you protect yourself from this is don't download pirated apps, right? Like you're 100% accurate on that.

Dave Bittner: Right. Yeah.

Jaron Bradley: And not to mention like this is not the first time this has happened. This has been since the history of, you know, cracking and malware that malware has been embedded inside applications, MacOS, MacOS included. But from the organizational perspective, definitely harder, right? Definitely more difficult. That's why we have, you know, a whole company set up around trying to make things easier around MacOS is because originally these computers were built to be kind of personal computers. They were not really built to be, you know, in the corporate environment. And if they were, there was kind of hacky ways to get them in there. But we've been seeing more, right? It's not just the CEOs anymore who are using the Apple computers. There's plenty of employees that want that and want that freedom that MacOS has to offer. So essentially, you know, security software and policies, these are both things you're able to enforce in some manner using some different, what's called MDM software, so the ability to kind of manage these MacOS computers remotely as an admin in a similar way that you'd be able to do it for a Windows computer. So really trying to enforce policy. Running security software. You know, like some people, they still like, they think Mac and they think oh, it's inherently safe. I don't need security software. We would push against that, especially in a corporate environment, right? Where you can't really control what users are just going to go out and download on the internet. There's some good, built-in security features from Apple to the operating system. XProtect is one of them. It's an anti-virus scanner that tries to scan things as you're opening them up. But security software's allowed to be a bit more flexible than probably Apple can be when they have to protect the entire world and you know, security software can kind of scope in on what threats are out there and provide additional coverage. So, that would be my answer there.

Dave Bittner: You know, you sort of allude to looking at this from a higher level. And I'd love to get your take as someone who is, you know, deep in the world of Mac malware. Can you give us a little bit of a reality check on the state of things? Because I think as you say, you know, I think lots of people on MacOS have this feeling, some would say smugness, and by the way, I count myself as a loyal Mac user so I'm calling myself out here. That they are better protected or that they don't have to worry about these things. I mean, what's the truth there? Where do we stand?

Jaron Bradley: Yeah. That's a great question. And I think it does definitely open a lot of additional questions, right? Like a lot of us still remember looking back on the commercials with the "I'm a Mac, I'm a PC." Like "I don't have any viruses, look at me." And like -- and that stuck with a lot of us, I think. And in reality, it's just not true anymore. An example that -- an example that I give a lot, if anyone's read "The Cuckoo's Egg," it's a book by Cliff Stoll. It's a book about one of the first nation-state intrusions, really. At least the first recorded one, I guess I should say. About a guy who was working at Berkeley, and at the time he had found an accounting error. Like on one of the sheets for who was paying for the internet. Somebody was getting away with free internet time. This was a thing back then. But the operating system of choice there at Berkeley at the time was not, you know, it was not Windows. It was not Apple's platform. It was FreeBSD or some form of Unix, right? And this is what attackers were going after because it held all the research. And the attack at a high level looks very much the same. Attackers get on a system, they move about laterally, they find a good research. They find a way to get that research out to their systems. So what that really tells us is it's not about the security of the platform. It's about the market share, really. What systems do attackers need to be familiar with to get the good data? And I think as we see the Apple market share kind of continue to shift and continue to gain a little more momentum in the workplace, we're going to continue to see more and more malware coming out for Mac. And if you kind of look at the Mac malware of the past few years, you'll see that that is indeed true as the market share shifted a little. Malware has come more and more to life. [ Music ]

Dave Bittner: Our thanks to Jaron Bradley from Jamf Threat Labs for joining us. The research is titled "Jamf Threat Labs discovers new malware embedded in pirated applications." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday podcast is a production of N2K Networks. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. They make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]