Kaspersky has identified a sophisticated proxy Trojan designed to compromise the macOS operating system.

This latest threat is propagated through the distribution of cracked (pirated) versions of legitimate software, posing a serious risk to users who seek alternative means of acquiring applications.

The proxy Trojan operates by disguising itself as a legitimate program during installation. Once infiltrated into a user’s system, it secretly establishes a covert proxy server, allowing threat actors to reroute network traffic through the compromised device. The Trojan’s distribution via PKG installers, rather than standard disk images, allows it to perform arbitrary pre-and-post-installation actions.

Expert analysis reveals the Trojan’s use of DNS-over-HTTPS (DoH) within the WindowServer file, concealing communication with the Command and Control (C&C) server. This protocol safeguards DNS queries, heightening its stealth capabilities.

In addition, the Trojan establishes a connection with the C&C server using the WebSocket protocol. This choice of communication protocol is not usual for proxy Trojans, which distinguishes this case from others. The use of WebSocket allows the Trojan to receive real-time commands from threat actors, thereby adapting to changing circumstances and evading detection more effectively.

As well as the macOS applications, researchers also identified several samples designed for Android and Windows platforms. These versions also function as proxy Trojans, distributed alongside pirated software.

“Cybercriminals historically exploit users seeking cost-free software through malware-laden cracked versions. Our new discovery underscores this threat, especially considering the proxy Trojan demonstrates an advanced ability to conceal its activities. To safeguard against trojans, macOS users should rely on robust security software and be cautious with downloads – stick to official sources, avoiding cracked software,” says Sergey Puzan, a security researcher at Kaspersky.