Threat researchers from SentinelOne have unearthed a new potential threat to the integrity of macOS users on an extensive scale called macOS.Bkdr.Activator. Originally recognised by Kaspersky, this backdoor activator malware is spreading through illicitly modified - or 'cracked' versions - of popular software. The scope of the threat is extensive, with over 70 known compromised applications according to SentinelOne's investigation.
The macOS.Bkdr.Activator holds great potential for damage as it targets popular software that is utilised in a broad range of business and productivity applications. These commonly-used apps in workplace settings create the potential for extensive infection.
The malware has been quickly circulating through numerous cracked versions of popular software, sometimes available through torrent services. The major cause for concern with macOS.Bkdr.Activator, aside from the sheer scale of its campaign, is that it seems intended to infect macOS users on a large scale, possibly with the goal of establishing a macOS botnet or distributing other types of malware on a large scale. These risks are further heightened as the targeted software titles include a variety of business-centric and productivity apps, which places workplace settings under threat.
Researchers first observed the campaign earlier in January and noticed its multi-stage delivery utilising novel techniques. They engaged in the initial delivery method using a torrent link that served a disk image with two applications – an apparently 'uncracked' and useless version of the targeted software title alongside an 'Activator' app that patches the software rendering it usable. Users are instructed to copy both items to the /Applications folder before starting the Activator program.
Once the Activator.app is launched, users are asked for an administrator password. This password is then utilised to switch off Gatekeeper settings with the 'spctl master-disable' command which then permits apps from 'Anywhere' to operate on the device.
The SentinelOne threat specialists found several hundred unique Mach-O binaries on VirusTotal that are infected with macOS.Bkdr.Activator, some with very low detection rates, and a few are currently not detectable by any VirusTotal engines at all. SentinelOne continues to track and identify new malicious samples as the campaign is ongoing.
Regulation of potential harm can be done through SentinelOne's system. When the policy is set to 'Protect', their agent blocks the execution of malicious samples. However, if the policy is set to 'Detect Only', an alert is raised, and the sample could potentially run for observational purposes. This new threat in the digital landscape, macOS.Bkdr.Activator, showcases not only technological advancement in malicious ware but also the need for consistent and reliable threat protection and intervention software.