专家警告：macOS盗版热门软件中隐藏后门

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

观察到针对苹果 macOS 用户的盗版应用程序包含一个后门，能够给攻击者远程控制被感染的机器。

"These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“这些应用程序被托管在中国的盗版网站上，以获取受害者”，Jamf Threat Labs 的研究人员 Ferdous Saljooki 和 Jaron Bradley 说道。

"Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim's machine."

“一旦引爆，恶意软件将在后台下载并执行多个载荷，以秘密损害受害者的机器。”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

携带后门的磁盘映像（DMG）文件已被修改，以与由演员控制的基础设施建立通信，其中包括诸如 Navicat Premium、UltraEdit、FinalShell、SecureCRT 和 Microsoft Remote Desktop 等合法软件。

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called "dylib" that's executed every time the application is opened.

未签名的应用程序，除了托管在一个名为 macyy[.]cn 的中国网站上，还包括一个称为 "dylib" 的 dropper 组件，该组件在每次打开应用程序时都会执行。

The dropper then acts as a conduit to fetch a backdoor ("bd.log") as well as a downloader ("fl01.log") from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

然后，该 dropper 充当获取后门（"bd.log"）以及从远程服务器获取下载器（"fl01.log"）的通道，该下载器用于设置持久性并在受损机器上获取额外的载荷。

The backdoor – written to the path "/tmp/.test" – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the "/tmp" directory means it will be deleted when the system shuts down.

这个后门——写在路径 "/tmp/.test" ——具有完整功能，建立在一个名为 Khepri 的开源后渗透工具包之上。它位于 "/tmp" 目录中的事实意味着系统关闭时将被删除。

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

尽管如此，下次加载盗版应用程序并执行 dropper 时，它将在相同的位置再次创建。

On the other hand, the downloader is written to the hidden path "/Users/Shared/.fseventsd," following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

另一方面，下载器被写入隐藏路径 "/Users/Shared/.fseventsd"，随后创建 LaunchAgent 以确保持久性并发送 HTTP GET 请求到演员控制的服务器。

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

虽然服务器不再可访问，但下载器被设计为将 HTTP 响应写入位于 /tmp/.fseventsds 的新文件，然后启动它。

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

Jamf 表示，这种恶意软件与 ZuRu 存在多个相似之处，后者在过去通过中国网站上的盗版应用程序进行 观察到 扩散。

"It's possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure," the researchers said.

“由于其针对性的应用程序、修改后的加载命令和攻击者基础设施，这种恶意软件有可能是 ZuRu 恶意软件的继任者”，研究人员表示。

原文始发于微信公众号（知机安全）：专家警告：macOS盗版热门软件中隐藏后门