New macOS Malware 'Activator.app' Steals Crypto Wallets via Cracked Apps
Security researchers have uncovered a new macOS malware, dubbed 'Activator.app', targeting the latest macOS Ventura versions on both Intel and Apple silicon machines. The malware, discovered by Jamf's Threat Labs, poses a significant risk to users who download cracked applications from the app store.
Activator.app repackages cracked applications like Exodus and Bitcoin-Qt into PKG files, embedding a Trojan proxy and post-install script. It uses an obsolete macOS function to gain administrator privileges and execute a Python script. The malware's crypto-stealing component replaces legitimate cryptocurrency wallets with infected versions, allowing operators to steal users' wallet information.
The malware communicates with a command-and-control (C2) server, sending details about the infected system. Jamf's Threat Labs team, who discovered the malware, warn that it gains access to user machines through pirated software, using a valid Apple developer signature and advanced evasion techniques. This is similar to another macOS malware, 'ChillyHell', previously discovered by security researcher Sergey Puzan.
To protect against Activator.app and similar malware, users should avoid downloading content from dubious websites and use reliable cybersecurity solutions. Security researcher warnings highlight the high risk faced by users who use cracked applications from the app store. Staying vigilant and using legitimate software is crucial to prevent such infections.
