New Trojan-Proxy Malware Spreading via Pirated Software

December 08, 2023NewsroomEndpoint Security / Malware

Trojan-Proxy Malware

Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new one. Trojan-Proxy malware.

“Attackers can use this type of malware to get money by building a proxy server network or to perform criminal acts for the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illegal goods,” Kaspersky security researcher Sergey Puzan SAYS.

The Russian cybersecurity company says it has found evidence showing the malware is a cross-platform threat, thanks to artifacts obtained for Windows and Android that piggyback on pirated devices.

Variants of macOS spread under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users looking for pirated software are the targets of the campaign.


Cracking the Code: Learn How Cyber ​​Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join now

Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, rogue versions are delivered in the form of .PKG installers, equipped with a post-install script that activates the malicious behavior post installation.

“As an installer always requests administrator permissions to operate, the script that is run during the installation process inherits those,” says Puzan.

The final goal of the campaign is to launch the Trojan-Proxy, which disguises itself as the WindowServer process on macOS to avoid detection. WindowServer is a core system process responsible for window management and rendering of the graphical user interface (GUI) of applications.

Initially, it tries to obtain the IP address of the command-and-control (C2) server to connect via DNS-over-HTTPS (DoH) by encrypting DNS requests and responses using the HTTPS protocol.


The Trojan-Proxy then establishes contact with the C2 server and waits for further instructions, including processing incoming messages to parse the IP address to connect, the protocol to use, and the message to send, informing with its ability to act as a proxy through TCP or UDP to redirect traffic through the infected host.

Kaspersky said it found malware samples uploaded to the VirusTotal scanning engine on April 28, 2023. To mitigate such threats, users are recommended to avoid downloading software from reliable sources.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment