Jamf Threat Labs announced Thursday that it has discovered a new malware threat on macOS. The malware is similar to the ZuRu malware discovered in 2021.
The malware is distributed via pirated software hosted in China. When a user launches the hacked app, a malicious dynamic library attached to the app uses a backdoor built with the open source post-exploitation tool Khepri. This allows the malware to avoid detection by antivirus software. The malware then communicates with the attacker, who can load software onto the target Mac and control it.
Jamf discovered the malware while investigating other threats. An executable called “.fseventsd” stood out because it is hidden and has the same name as a process on macOS. Jamf also notes that the executable was not signed by Apple and was not reported as malicious on VirusTotal, a website that analyzes suspicious files.
The hacked applications in which Jamf discovered the malware include FinalShell, Microsoft Remote Desktop Client, Navicat Premium, SecureCRT and UltraEdit. “It is possible that this malware is the successor to ZuRu malware given its targeted applications, modified loading commands, and attacker infrastructure,” according to Jamf.
How to avoid malware attacks
Jamf believes that this new malware “appears to primarily target victims in China.” Since it spreads via pirated software, the easiest way to avoid it is to only use legitimately acquired apps from trusted sources, such as the App Store (which conducts security checks of its software) or directly from the developer. igamesnews has several guides to help you, including a guide on whether or not you need antivirus software, a list of Mac viruses, malware, and Trojans, and a comparison of Mac security software.
Apple has implemented protections in macOS, and the company releases security patches through operating system updates. It is therefore important to install them when they are available. If Apple pulls an update, the company will re-release it as soon as it is properly revised with fixes.