Kaspersky Labs, a globally recognized leader in cyber security, has uncovered a sophisticated malware campaign. The campaign specifically targets MacOS users who download pirated apps. The malware is designed to infiltrate users' computers through compromised software installers and has a specific focus on newer operating systems, namely macOS versions 13.6 and above. This malware is uniquely designed to replace legitimate Bitcoin and Exodus crypto wallets with infected versions. The infection method involves compromised disk images containing an "activator" and the desired application. The malware lies dormant until the user runs the activator, which requires entering the user's password. This cunning tactic ensures that users unknowingly activate the compromised application. Once the malware has crept in, it executes a Python script that runs continuously and tries to download additional infection stages. This script has two functions: to execute arbitrary commands from a server and to check the presence of crypto wallet applications, which it then replaces with malicious versions.
This malware stands out for its simplicity and effectiveness. By manipulating executable files of legitimate applications to render them non-functional until the activator is run, hackers ensure that users are tricked into installing the malware. Once activated, the malware can execute any script with administrator privileges, including replacing the Exodus and Bitcoin crypto wallet applications with versions that steal secret recovery phrases. To protect against this ever-evolving threat, Kaspersky researchers emphasize the importance of only downloading apps from official stores such as the Apple App Store. They also recommend installing a reliable security solution, updating the operating system and apps regularly, and using strong, unique passwords for different accounts. In addition, it is crucial to secure your seed phrase when setting up your wallet.