Gone are the days when macOS was protected from viruses and other computer worms. A new malware targeting Apple machine owners is interested in their cryptocurrency portfolios.
Bitcoins, Ethereum and other cryptocurrencies may be very volatile assets, but that does not prevent them from being prime targets for malicious hackers. Malware, identified by the company Kaspersky, is trying to steal the cryptos of many Internet users, taking advantage of the somewhat too blind trust that some Internet users can place in macOS.
Malware hidden in “crack” software
In a twist not without irony, the malicious code first disguises itself as activation “software” for applications obtained illegally. Supposed to break the protections that accompany certain apps, this category of software is very popular on sites dedicated to application piracy.
Once the activator is launched, it asks for the machine’s administrator password to, supposedly, “patch” the freshly pirated software. Once the rights have been granted, the piece of code checks for the presence of Python 3 on the machine and installs it if necessary. This then allows a script to be downloaded from a bogus address (i.e. apple-health.org) and begins to infect the machine. To be discreet, the script appears as a simple TXT record coming from a DNS server.
Exodus and Bitcoin core targeted
Once the malware is in place, it begins to collect information about the victim’s machine (OS version, installed applications, hardware used, IP address, etc.) and also allows itself to modify certain system settings to remain active, even after a reboot. But the goal of the program is, it seems, first, to steal the victims’ cryptocurrencies.
The script actually checks for the presence of Bitcoin Core or Exodus wallets, two very popular crypto management applications. If they find them, the malware replaces them with a corrupted version. Once victims enter their password, the information is sent to a third-party server and the wallet is emptied at the same time.
While this type of “crypto-stealer” malware, as they are called in the industry, is not new, the infection method “is very ingenious» according to Kaspersky. Not sure that this consoles those who have had their cryptocurrencies stolen, but at least the scam is now known.
Source : Kaspersky via BleepingComputer
1