A new cyberattack campaign has Security researchers concerned about the distribution of a backdoor to macOS users through cracked copies of popular software products. This campaign has grabbed the attention of experts due to its sheer volume and use of a novel, multistage payload delivery technique. Additionally, the threat actor is deploying cracked macOS apps with titles that would appeal to business users, potentially putting organizations at risk if they don’t restrict user downloads.
According to Kaspersky and SentinelOne, this new attack campaign, called Activator, was first discovered in January 2024. The malware has been found in various cracked macOS applications and has since been spreading rapidly, raising concerns about potential widespread infections on macOS devices. This new backdoor, also known as the Activator macOS backdoor, has caught the attention of the cybersecurity community due to its high number of unique samples identified across VirusTotal, suggesting a significant threat.
In terms of scale, the number of samples observed indicates that the Activator backdoor has surpassed the volume of macOS adware and bundleware loaders supported by large affiliate networks. This has led to concerns about potential infections in the wild, causing a growing sense of urgency among security researchers.
One of the unique aspects of the Activator campaign is the use of over 70 different cracked macOS applications to distribute the malware. These applications, which include business-focused titles like Snag It, Nisus Writer Express, and Rhino-8, are designed to lure unsuspecting users into downloading the infected software. This presents a potential risk to organizations that allow users to download software without restrictions, as infected devices could compromise the overall security of the network.
One of the most concerning aspects of this attack campaign is the delivery mechanism of the backdoor itself. Unlike other macOS malware threats, the Activator backdoor does not infect the cracked software itself. Instead, users receive an unusable version of the cracked app they intended to download, along with an “Activator” app containing two malicious executables. Upon running the Activator app and providing administrative privileges, the malware then initiates a series of malicious actions designed to disable security settings and install the backdoor on the victim’s device.
This multistage delivery process makes it especially difficult to remove the malware, even if the user decides to remove the infected software. Additionally, the use of a Python backdoor that launches directly from the loader script presents another challenge, as it does not appear on disk at all. This unique delivery method makes it tricky for traditional security measures to detect and remove the threat, indicating a sophisticated approach by the threat actor.
While the end goal of the threat actor remains unclear, experts have suggested that the campaign could be an attempt to build a macOS botnet. However, they acknowledge that this remains speculative at this stage and requires further investigation.
In summary, the Activator macOS backdoor campaign has raised significant concerns among cybersecurity experts due to its scale, unique payload delivery method, and the potential threat of widespread infections. As the situation continues to evolve, the cybersecurity community is urging organizations and individuals to exercise caution and implement strong security measures to mitigate the risk of falling victim to this sophisticated attack.