Security researchers have raised the alarm about a new campaign of cyber attacks using cracked copies of popular software products to deploy a backdoor to macOS users.
Which makes the campaign different from numerous others that have used a similar tactic, like the one reported just earlier this month involving Chinese websites – is its sheer size and its new technique of distributing the payload in several stages. Also noteworthy is the threat actor’s use of cracked macOS apps with titles that could be of interest to enterprise users, so even organizations that don’t limit what users download may be at risk.
Kaspersky was the first to do this discover and report on the macOS Activator backdoor in January 2024. A subsequent analysis of the malicious activity by SentinelOne demonstrated that the malware was “running through torrents of macOS apps“, according to the security vendor.
“Our data is based on the number and frequency of unique samples appearing on VirusTotal,” says Phil Stokes, threat researcher at SentinelOne. “In January, since this malware was first discovered, we have seen more unique samples of this malware than any other macOS malware from us [tracked] in the same period of time.”
The number of Activator backdoor samples observed by SentinelOne is also greater than the volume of adware and bundleware loaders for macOS (think Adload and Pirrit) supported by large affiliate networks, Stokes says. “While we have no data to correlate this with infected devices, the rate of unique uploads to VT and the variety of different applications used as bait suggest that infections in the wild will be significant.”
Build a macOS botnet?
One potential explanation for the scale of the activity is that the threat actor is attempting to assemble a macOS botnet, but this remains only a hypothesis for now, Stokes says.
The threat actor behind the Activator campaign uses up to 70 cracked macOS applications – or “free” apps with copy protections removed – to distribute the malware. Many of the cracked apps have business-focused titles that could be of interest to people in the workplace. An example: Snag It, Nisus Writer Express, and Rhino-8, a surface modeling tool for engineering, architecture, automotive design, and other use cases.
“There are many useful tools for work purposes that are used as bait by macOS.Bkdr.Activator,” says Stokes. “Employers who do not place limits on the software that users can download could be at risk of compromise if a user downloads an app infected by the backdoor.”
Threat actors who try to distribute malware via cracked apps typically embed malicious code and backdoors within the app itself. In the case of Activator, the attacker used a slightly different strategy to open the backdoor.
Different delivery method
Unlike many macOS malware threats, Activator doesn’t actually infect cracked software, Stokes says. Instead, users receive an unusable version of the cracked app they wish to download and an “Activator” app containing two malicious executables. Users are prompted to copy both apps to the Applications folder and run the Activator app.
The app then prompts the user for the administrator password, which it then uses to disable macOS’s Gatekeeper settings so that applications outside of Apple’s official app store can now run on the device. The malware then initiates a series of malicious actions that eventually disable the system notifications setting and installs, among other things, a Launch Agent on the device. Backdoor Activator itself is a first-stage installer and downloader for other malware.
The multi-stage distribution process “provides the user with the cracked software, but backdoors the victim during the installation process,” Stokes says. “This means that even if the user later decides to remove the cracked software, the infection will not be removed.”
Sergey Puzan, malware analyst at Kaspersky, highlights another noteworthy aspect of the Activator campaign. “This campaign uses a Python backdoor that doesn’t appear on disk at all and is launched directly from the load script,” says Puzan. “Using Python scripts without ‘compilers’ like pyinstaller is a little more complicated as it requires attackers to bring a Python interpreter with them at some stage of the attack or to ensure that the victim has a compatible Python version installed.”
Puzan also believes that one of the potential goals of the threat actors behind this campaign is to build a botnet for macOS. But after Kaspersky’s report on the Activator campaign, the company no longer observed any additional activity, he adds.