Kaspersky has identified a sophisticated proxy Trojan designed to compromise macOS, posing a significant threat to users who opt for cracked versions of legitimate software. The Trojan disguises itself during installation, creating a covert proxy server upon infiltrating a user’s system. This enables threat actors to reroute network traffic through the compromised device. Notably, the Trojan is distributed through PKG installers, allowing for arbitrary pre-and-post-installation actions.
Expert analysis reveals the Trojan’s use of DNS-over-HTTPS (DoH) within the WindowServer file, enhancing stealth by concealing communication with the Command and Control (C&C) server. The use of WebSocket protocol for communication with the C&C server distinguishes this Trojan from others, providing real-time adaptability to evade detection effectively.
Beyond macOS, researchers have identified versions of the Trojan for Android and Windows platforms, distributed alongside pirated software. Kaspersky emphasizes the heightened risk for users seeking cost-free software through cracked versions, urging reliance on robust security software and caution in downloads from official sources.
Sergey Puzan, a security researcher at Kaspersky, advises macOS users to prioritize security software and exercise caution in downloads, sticking to official sources and avoiding cracked software. Kaspersky recommends safety measures such as keeping personal contact information private, downloading apps only from official stores, updating operating systems and apps regularly, and optimizing social network privacy settings for enhanced security against Trojans and malware.