Backdoor Activator Malware Running Rife Through Torrents of macOS Apps

Malware authors have long targeted the market for free, cracked apps available through torrent services: in recent years a variety of cryptominers, adware, browser hijackers and bundled software installers have all plied their warez this way, but a recent macOS malware first spotted by researchers at Kaspersky is currently running rampant through dozens of different cracked copies of popular software.

Aside from the scale of the campaign, macOS.Bkdr.Activator is concerning because its objective appears to be to infect macOS users on a massive scale, potentially for the purpose of creating a macOS botnet or delivering other malware at scale. The software titles targeted also include a range of business-focused and productivity apps that could be attractive in workplace settings.

What is macOS.Bkdr.Activator?

Researchers first identified the campaign earlier in January and noted how its multi-stage delivery made use of some novel techniques.

Initial delivery method is via a torrent link which serves a disk image containing two applications: An apparently ‘uncracked’ and unusable version of the targeted software title, and an ‘Activator’ app that patches the software to make it usable. Users are instructed to copy both items to the /Applications folder before launching the Activator program.

Backdoor Activator malware infects macOS

The Activator.app contains two malicious executables: a binary written in Swift named GUI located in the bundle’s MacOS folder, and a binary written in Objective-C named tool and stored in the Resources folder. The latter folder also contains a legitimate, signed installer for Python 3.9.

On launching the Activator.app, victims are asked for an administrator password. This is used to turn off Gatekeeper settings via the spctl master-disable command and to allow apps sourced from ‘Anywhere’ to now run on the device.

Disable Gatekeeper macOS Sonoma

Activator also checks for a Python install and, if absent, writes the Python package from its Resources folder to the /tmp directory.

Activator infection macOS malware

At this point the tool binary takes over, installs Python if required, and begins a series of malicious actions. The malware uses embedded Python code to kill the Notification Center. This is likely a means to bypass Apple’s attempt to alert users via Notifications when new persistence items like LaunchAgents are installed.

python kill Notification Center

The Activator contains code to install a LaunchAgent at the following path, where the %@ variable is replaced with a UUID string generated at runtime.

/Library/LaunchAgents/launched.%@.plist
#regex:
/Library/LaunchAgents/launched.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}.plist

Prior to executing the Python script and installing the LaunchAgent, the tool binary attempts to retrieve a remote Python script. If the retrieval is successful, it then leverages the Apple defaults API to determine whether it has ran the same script before. Defaults allows programs to store preferences and other information that need to be maintained when the application isn’t running. While it is a standard macOS technology, it has rarely been leveraged by malware.

The Activator.app computes a hash of the script and saves it to the user defaults under the key lastExecutedScriptHash. If no hash has been previously saved or the stored hash is different, the retrived script is executed.

The application’s bundle identifier is “-.GUI”, so threat hunters may search the defaults database for signs of compromise with:

defaults read "-.GUI"

macOS Torrents Infected with Backdoor Activator

We have found several hundred unique Mach-O binaries on VirusTotal that are infected with macOS.Bkdr.Activator. Some have very low detection rates, and a few are currently not detected by any VirusTotal engines at all.

macOS Activator malware undetected

Although the following list cannot be considered complete as new samples continue to be found, the malicious binaries we have discovered pertain to over 70 individual ‘cracked’ apps that have been hijacked for the Activator campaign.

Any of the following applications that have been sourced from a torrent site or anywhere other than their official distribution channels should be considered as a possible indicator of compromise and the host device inspected for signs of malware infection.

4K Video Downloader 1.4.0 4K YouTube to MP3 Pro 5.1.0 Aiseesoft Blu-ray Player Alarm Clock Pro 15.6
AnyMP4 iOS Cleaner 1.0.30 Battery Indicator 2.17.0 Bike 1.18.0 Boxy SVG 4.21.1
Chain Timer 10.0 Clipsy Clipboard Manager2.1 ColorWell 7.4.1 Cookie 7.2.1
Cover Desk 1.7 DaisyDisk 4.26 (4.26) DeliverExpress 2.7.11 Disk Xray 4.1.4
Dropshare 5.45 Easy Data Transform 1.46.1 Eon Timer 2.9.11 Final Draft 12.0.10
Fix My iPhone 2.4.9 FonePaw iOS Transfer 6.0.0 FontLab 8.3.0.8766.0 Beta Fork 2.38
ForkLift 4.0.6 getIRC – IRC Client 1.5 Ghost Buster Pro 2.5.0 GrandTotal 8.2.2
Hides 5.9.2 HitPaw Video Converter 3.3.0 Infuse Pro 7.6.6 Invisible 2.8.0
Iris 1.6.4 iShowUInstantAdvanced 1.4.19 iTubeGo 7.4.0 Cracked Keep It 2.3.7
MacX DVD Ripper Pro 6.8.2 MacX MediaTrans 7.9 Magic Battery 8.1.1 Magic Disk Cleaner 2.6.0
MarsEdit 5.1.2 MetaImage 2.6.3 Millumin 4 v4.18.d Mission Control Plus 1.23
Money Pro 2.10.4 MouseBoost Pro 3.3.5 NetWorker Pro 9.0.1 Nisus Writer Express 4.4
Omni Toolbox 1.5.1 OmniFocus Pro 4.0.3 OmniReader Pro 2.6.8 Pastebot 2.4.6
Perfectly Clear 4.6.0.2629 Privatus 7.0.2 QuickLinks 3.2 RAW Power 3.4.17 Cracked
Rhino-8 SimpleMind Pro 2.3.0 SiteSucker Pro 5.3.0 Soulver 3.10.0
SpamSieve 3.0.3 Swinsian 3.0 SyncBird Pro 4.0.8 TechSmith Snagit 2023.2.6
uDock 4.0.3 Unclutter 2.2.6 Valentina Studio Pro 13.7.0 Web Confidential 5.4.3
WiFiSpoof 3.9.3 Xliff Editor 2.9.15 xScope 4.7.0 zFuse Pro 1.7.36

Further Stages

The Activator malware functions as a Stage 1 installer and downloader. The tool binary constructs a hardcoded domain name string and, according to Kaspersky researchers, retrieves TXT records for this domain from a DNS server. We were unable to confirm this in our tests, but the previous research suggests that the malware uses a novel technique of retrieving base64-encoded messages from the snippets contained in the DNS responses. These are then decrypted in-memory and were seen to contain a Python script which reached out to a further remote server to download the next stage.

The content of these encrypted messages could change according to the operator’s whim, but in the observed case the final stage turned out to be a Python backdoor that allows the operator to execute arbitrary commands on the infected device. More details on this stage can be found here.

SentinelOne Detects macOS.Bkdr.Activator

The campaign is ongoing and we continue to track and identify new malicious samples. When the policy is set to ‘Protect’, the SentinelOne agent blocks execution of malicious samples. With the policy set to ‘Detect Only’, an alert is raised and the sample may be allowed to run for the purposes of observation.

Indicators of Compromise

File Paths
/tmp/python-3.9.6-macosx10.9.pkg
/Applications/Activator.app/Contents/MacOS/GUI
/Applications/Activator.app/Contents/Resources/tool

[~]/Library/LaunchAgents/launched.%@.plist
#regex:
/Library/LaunchAgents/launched.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}.plist

SHA1 Mach-Os
01223c67c44b9cb893576c624ceeb6971d7c8a64
02a38a5dd5dcff4354fab26601dd766c1d24293e
03c4a36c06c12e3420bd410a9600e09ddb4b4211
07da6661657d72a4d9fc14990bb57f46514318a9
08503aca7610a83aeb55d5cf68be16b221f677bf
14f6e7759541de4c31e6cdc5efd4059363b748a9
192fd322a6c4df2bb0e3d743dfe84d30c82512bd
1acaf1e08a03137827b9ef1972198cf9b52d0e15
1b434829544a5a63101e4d0e45ddb65ec840c841
21a5895c184b047c7b9aa7aa4f6451acbc8be826
21e6691d8466ecc6fbf25481cc33338ad47caf5c
25e12022e796d77f2496c3c2090febd048015a9f
28de5c653b938626b5c2663de07ec3affb61da7a
29f8c0f7f3a70ec114ac3cef2a47f0c285138fdb
2c6c43cf0655a2ed0d155ea12cfb100f1fc1f770
2c6d7642dd442d1e50985b938a4c5d827720b8b2
2e0159157a2443fe41abc1643d75cc923cda6896
2f26dc03de6ad3e8c7853588a96c524b5093d37e
315b793de51286b03fdedfd7bca1aa8885dfabb8
341e215d527c058d17c82ab34e4fc392a8d20575
343f788d605e9433aebc40edc3d1d621b11aef38
38d38f96558d3a476d9cf0b319299d069ae629e4
392377835b20d2faca7f40c5ea6959f8be0ca586
3a9a511b32753de5e3824abc91a1969bf12fbb47
3bac1bb68a996b0524d1082ec810d6af33061a50
429a81049145a7c03ec39e7d23a20a74d89d6dd9
4f2d4e69abf124edff096870271c4e1942ecef12
55d893acd26927a66583c200377f10baffc06347
5facd492d920ba088acb32d311ede7ae2190c7fd
5fd1f90079bfe29d519ab59380ab9d152e837b6d
61cf0c13d58bb03eaf8886e599132581f96a8585
65ca8d43bc622561d3b9b990873cb82ed2b7db6d
6bc6586134013472c5020e08648c946f5da859aa
719efeae3e91ba89222c8118ad76790cf996ae79
72c2469669b1aa50e0dc356dfc036a405ce26ef3
7966a3cdf552e698c6861849479cb25fb2fe22c7
7ebf2eba7be3535c6afd1195305f683a8d46f45a
8133447d1bfd6a704dbee353cecfa8105bdc324a
8c78b2b159894abf5dfaa08a4cd8b1b79aabe446
8d9f0539f82609de097c244d2c8182f7f240545f
8ecf86ee0eb436e30508b22bcda89585bf5a5613
9089265798cfd830240e1bb981df6e61aea49692
90ffd2f23d0c57c7b3becd52525d31aadcb142ba
92b476221f3b88de74e31aca92c44eb8ae8e1c6c
98e9bb5de5d8f487f84bca9276905a87a76d3bb4
9c75698e5ec05c3613510e866ef37673e1649536
a1bc32090d7a9599d14e5310ffd981727cec4d9a
a2a6948d39a3b1239d0e83792f3178c338aaefb6
a3b9ea16b0d44e835d6458db44c018349f1cff3f
a5a28411bffe4efb72c99a63d234bffdd83bafef
a6fb4aaebd82681b5e5fac086cb4a41c7d64b718
b11d8ba52cef7fc9cd4b224a780bc2440afcfb82
bc51a249ade7b619da3ad4d3593176381f114b01
c4e9f2bc657d32c9e642274c056b3d4a8e0bbb06
c74d70da36badfa1fb4914494d4e952fa56fdbb1
caadd51d6191966002986f5529ab3b60622f9a03
cd4d2e325fd4741bf7c1918e9f341a3bc0e2c45c
d326b6f10d91965282ba0eb0041f2bb3dc0c004b
d58823309eeed0a40287d1df22ce799a672483db
d5b4ba66b24becfce2944a0df7b5d36f2a617ebf
d73cb24b88bdeb29ea09a867d67006061f3d9464
db49f7b2ebb06eba1a821ed9a0050ca36a38d31e
dc64a04830d9209142c72937cd348d581afbad09
dcb8efd9817a46f79021afcad9ea67ef4c898ff6
def1ca81e74dad6bef7cd37d896d9521afd3e19e
e18c9dff96ba0b982cbfd1911db24f974db82cce
e439e6a35fe685b909e8656fed03b4c2ae8533cd
e591b784a7a6783580e8674ff1b263d5a6d91e86
e85cc29f9ea7c7cfcb31450cecaed85bc0201d32
e8613f03b1cbebb6c6fa42a65aef59ab547a8a59
eca71e86d45b43a558f1f05acd6fdbf48c79f097
ee90f40748c4bd0ba78abbf113a6251f39a5bbd5
f3f498574f91da8fc4a69e5ae35dbfcb058abb7b
fa08c5f4c6dbb5f32288ea05ed558ffcd273f181

Arrests in $400M SIM-Swap Tied to Heist at FTX?

Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.

A graphic illustrating the flow of more than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.

An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. “Carti,” and “Punslayer,” allegedly assisted in compromising devices.

In a SIM-swapping attack, the crooks transfer the target’s phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.

The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name “Victim 1.”

Wired’s Andy Greenberg recently wrote about FTX’s all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:

“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”

“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”

The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.

Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.

“We put the value of the cryptoassets stolen at $477 million,” Robinson said. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, it’s certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.”

The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.

“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”

Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything they’ve witnessed from US-based SIM-swappers.

“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has worked with [ransomware] groups like ALPHV/BlackCat,” Bax said.

CISA’s alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.

“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA said, referring to the group’s signature “Tactics, Techniques an Procedures.”

Nick Bax, posting on Twitter/X in Nov 2022 about his research on the $400 million FTX heist.

Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

Financial claims involving FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.

KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.

Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasn’t shared that information yet. Powell’s next court date is a detention hearing on Feb. 2, 2024.