Cybersecurity analysts at Jamf Threat Labs have uncovered a new strain of macOS backdoor malware, ingeniously camouflaged within trojanized applications on Chinese pirating websites such as macyy<.>cn. Named '.fseventsd' in a cunning mimicry of a legitimate macOS process, the malware is designed to elude detection and orchestrate infected machines from afar.

Stealthy as a Shadow

The malware shares a striking resemblance with the malevolent code of the Khepri opensource project but exhibits significant modifications aimed at increasing its stealth. It cleverly renames itself to blend in with other system processes, thereby evading detection. Once in command, it is capable of collecting system information, uploading and downloading files, and opening a remote shell, contingent on acquiring user permissions.

A Sinister Trail

The researchers, upon diligent investigation, traced the origins of the malware. They found it ensnared within a DMG file teeming with backdoored applications. The breadcrumb trail led them to a Chinese website notorious for hosting a myriad of pirated software. The malware unfurls three malicious activities: a dylib functioning as a dropper, a backdoor binary leveraging Khepri's command-and-control tools, and a downloader poised for additional payloads.

Unsettling Similarities

Parallels were drawn with the notorious ZuRu malware, but differences in the final payloads suggested that they might not be directly related. This alarming discovery underscores the escalating sophistication of attackers targeting macOS, who are now crafting custom malware to bypass Apple's fortifications.

A Call to Vigilance

Users and enterprises are strongly advised to steer clear from pirated applications, implement robust threat detection and blocking software for macOS, and abstain from visiting websites notorious for hosting pirated software. The discovery of '.fseventsd' serves as a stark reminder of the ever-evolving threats in the cyber realm and the need for relentless vigilance.