Actu
Backdoor activator malware running rife through torrents of macOS Apps
February 2024 by SentinelOne
Malware authors have long targeted the market for free, cracked apps available through torrent services, but a recent macOS malware, first spotted by researchers at Kaspersky, is currently running rampant through dozens of different cracked copies of popular software.
Aside from the scale of the campaign, macOS.Bkdr.Activator is concerning because its objective appears to be to infect macOS users on a massive scale, potentially for the purpose of creating a macOS botnet or delivering other malware at scale. The software titles targeted also include a range of business-focused and productivity apps that could be attractive in workplace settings.
What is macOS.Bkdr.Activator?
Researchers first identified the campaign earlier in January and noted how its multi-stage delivery made use of some novel techniques.
The initial delivery method is via a torrent link which serves a disk image containing two applications: An apparently ‘uncracked’ and unusable version of the targeted software title, and an ‘Activator’ app that patches the software to make it usable. Users are instructed to copy both items to the /Applications folder before launching the Activator program.
On launching the Activator.app, victims are asked for an administrator password. This is used to turn off Gatekeeper settings via the spctl master-disable command and to allow apps sourced from ‘Anywhere’ to now run on the device.
macOS Torrents Infected with Backdoor Activator
SentinelOne threat researchers found several hundred unique Mach-O binaries on VirusTotal that are infected with macOS.Bkdr.Activator. Some have very low detection rates, and a few are currently not detected by any VirusTotal engines at all.
The campaign is ongoing and SentinelOne continues to track and identify new malicious samples. When the policy is set to ‘Protect’, the SentinelOne agent blocks the execution of malicious samples. With the policy set to ‘Detect Only’, an alert is raised and the sample may be allowed to run for the purposes of observation.
