The malware is being distributed through pirated software hosted in China. When a user launches the pirated app, a malicious dynamic library attached to the app uses a backdoor built with the open-source Khepri post-exploitation tool. This allows the malware to avoid detection by anti-virus software. The malware then communicates with the attacker, who can load software on the target Mac and control it.
Jamf discovered the malware while investigating other threats. An executable called “.fseventsd” stood out because it’s hidden and has the same name as a process in macOS. Jamf also notes that the executable wasn’t signed by Apple and was not flagged as malicious on VirusTotal, a website that analyzes suspicious files.
The pirated apps where Jamf discovered the malware include FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT, and UltraEdit. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands, and attacker infrastructure,” according to Jamf.
How to avoid malware attacks
Jamf believes that this new malware “appears to primarily target victims in China.” Since it spreads through pirated software, the easiest way to avoid it is to use only legitimately acquired apps from trusted sources, such as the App Store (which makes security checks of its software) or directly from the developer. Macworld has several guides to help, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and trojans, and a comparison of Mac security software.
Apple has protections in place within macOS and the company releases security patches through OS updates, so it’s important to install them when they are available. If Apple pulls back an update, the company will reissue it as soon as it is properly revised with corrections.
MacOS, Security Software and Services