In a recent discovery by Jamf Threat Lab researchers, a new strain of malware has been identified lurking within commonly pirated macOS applications. Once installed, these applications unknowingly execute trojan-like malware in the background of a user's Mac, leading to potentially disastrous consequences.

The researchers stumbled upon an executable file named "fseventsd" while investigating threat alerts. Interestingly, this executable masquerades as a legitimate process in the macOS operating system, which is designed to track file changes and store event data. However, the researchers found that "fseventsd" is actually a native log and not an executable. Adding to the suspicion, Apple did not sign the suspicious file, prompting further investigation.

Further analysis revealed that these pirated applications hosting the malware are primarily found on Chinese pirating websites. Upon detonation, the malware proceeds to download and execute multiple payloads in the background, discreetly compromising the victim's Mac.

The "fseventsd" binary carries out three malicious activities in a specific order. First, it loads a malicious dylib file, acting as a dropper that executes each time the application is opened. This is followed by the download of a backdoor binary using the Khepri open-source command-and-control (C2) tool, enabling the attacker to collect system information, download/upload files, and even open a remote shell. Lastly, a downloader ensures persistence and downloads additional payloads.

Interestingly, the Khepri backdoor remains hidden in a temporary file, disappearing upon Mac reboot or shutdown. However, the malicious dylib reloads itself the next time the user opens the application, ensuring the persistence of the malware.

While Jamf suggests that the primary targets of this attack are victims in China, it highlights the overall danger of using pirated software. Many users installing such applications are already aware of the risks and often overlook security alerts from macOS Gatekeeper, impatiently clicking the "Install" button.

To protect against such threats, experts advise installing reputable antivirus and anti-malware software as an additional layer of defense. While this particular strain of malware may go undetected, having strong security measures in place is always a good practice.

As the threat landscape continues to evolve, staying vigilant and cautious while downloading and installing software remains crucial for users worldwide.