Kaspersky researchers have unearthed an unconventional strain of macOS malware. The previously unknown family of malicious software, distributed discreetly through pirated applications, targets macOS users’ cryptocurrency, which is stored in digital wallets.

In contrast to proxy trojans previously found by Kaspersky, this new threat focuses on compromising them.

This crypto Trojan is different in two ways: first, it uses DNS records to deliver its malicious Python script. Secondly, it doesn’t just steal crypto wallets; it replaces a wallet application with its own infected version. This allows it to steal the secret phrase used to access the cryptocurrency stored in the wallets.

The malware targets macOS versions 13.6 and above, indicating a focus on users of newer operating systems, both on Intel and Apple silicon devices. Compromised disk images contain an “activator” and the sought-after application. The activator, seemingly benign at first glance, activates the compromised application after entering the user’s password.

The attackers utilise pre-compromised versions of the application, manipulating the executable files to make them non-functional until the user runs the activator. This tactic ensures the user unwittingly activates the compromised application.

After the patching process, the malware executes its primary payload by getting a DNS TXT records for a malicious domain and decrypting a Python script from it. The script runs endlessly trying to download the next stage of infection chain which is also a Python script.

The purpose of the next payload is to execute arbitrary commands received from the server. While no commands were received during the investigation and the backdoor was being updated regularly, it’s evident the malware campaign is still in development. The code suggests the commands are likely encoded Python scripts.

Apart from these functionalities, the script contains two notable features involving the domain apple-analyzer[.]com. Both functions aim to check for the presence of cryptocurrency wallet applications and replace them with versions downloaded from the specified domain. This tactic was observed targeting both the Bitcoin and Exodus wallets, turning these applications into malicious entities.

“The macOS malware linked to pirated software, highlights the serious risks,” says Sergey Puzan, a security researcher at Kaspersky. “Cybercriminals use pirated apps to easily access users’ computers and get admin privileges by asking them to enter the password. The creators show unusual creativity by hiding a Python script in a DNS server’s record, increasing malware’s level of stealth in the network’s traffic.

“Users should be extra cautious, especially with their cryptocurrency wallets. Avoid downloading from suspicious sites and use trusted cybersecurity solutions for better protection.”