Security researchers have spotted new macOS malware that’s spreading through pirated software in an effort to steal cryptocurrency.
Antivirus provider Kaspersky uncovered the malware piggybacking on “cracked” software apps circulated on the internet. The malicious code arrives through an “Activator” program, which is designed to install and launch the pirated software.
The Activator will ask for the user’s password for their macOS system to make changes. But doing so will allow the Activator to secretly install the malware, which can spy on the Mac and receive commands from the hacker’s server.
Kaspersky added: “The samples we found could be successfully run on macOS Ventura 13.6 and later, suggesting that the operators were targeting only users of the newer operating system versions on both Intel processors and Apple silicon machines.” (Ventura was released in September 2023.)
Kaspersky’s investigation also found that the malware’s creator took pre-compromised versions of the pirated software and altered a few bytes of code, “thus disabling it to make the user launch Activator.” A screenshot shows in one case the hacker packed the malware into a pirated version of xScope, a paid macOS utility.
Once the malware installs itself, it’ll begin checking for the presence of Bitcoin and Exodus cryptocurrency wallets. If found, the malware will then secretly replace the wallet with its own infected version to loot the user’s digital currency.
The news arrives as other hackers have been spotted exploiting pirated software to spread other kinds of macOS malware. A month ago, Kaspersky discovered cracked software being used to infect victim machines with a malicious proxy network. Then in February, security firm Jamf found another cryptocurrency-focused macOS malware circulating through a pirated version of Apple’s Final Cut Pro software.
Hence, macOS users should be careful when downloading bootleg software. “The aforementioned cracked applications are one of the easiest ways for malicious actors to get to users’ computers,” Kaspersky added. “To elevate their privileges, they just need to ask for the password, which typically causes no suspicions with users during software installation.”