Trojan-Proxy Malware May Target Multiple Operating Systems

Unauthorized websites distributing tampered versions of cracked software have been identified as sources of infection for Apple macOS users with a novel Trojan-Proxy malware.

Researchers explained that perpetrators can leverage this form of malware to generate revenue by establishing a proxy server network or executing illicit activities on behalf of the victim, such as launching assaults on websites, businesses, and individuals, as well as purchasing firearms, narcotics, and other illegal items.

Researchers discovered evidence suggesting that the malware poses a cross-platform threat. This inference is drawn from the discovery of artifacts associated with Windows and Android, which piggybacked on pirated tools.

Trojan-Proxy Disguises Itself as Pirated Apps

The macOS iterations masquerade as authentic multimedia, image editing, data recovery, and productivity tools. This implies that individuals seeking pirated software are the primary targets of the campaign. Unlike their legitimate counterparts distributed as disk image (.DMG) files, the counterfeit versions are disseminated as .PKG installers, featuring a post-install script that triggers malicious behavior after installation.

The ultimate objective of the campaign is to deploy the Trojan-Proxy, which disguises itself as the WindowServer process on macOS to elude detection. WindowServer is a fundamental system process responsible for managing windows and rendering the graphical user interface (GUI) of applications.

Upon initiation, the malware endeavors to acquire the IP address of the command-and-control (C2) server through DNS-over-HTTPS (DoH) by encrypting DNS requests and responses using the HTTPS protocol.

Subsequently, Trojan-Proxy establishes communication with the C2 server and awaits further directives, including processing incoming messages to interpret the IP address to connect to, the protocol to employ, and the message to transmit. This indicates its capability to function as a proxy via TCP or UDP to reroute traffic through the compromised host.

Researchers reported discovering instances of the malware uploaded online as early as April 28, 2023. To counter such threats, users are advised to refrain from downloading software from untrusted sources.

December 8, 2023
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.