The infection chain begins with users downloading and executing cracked applications from untrustworthy websites. During installation, the malware is placed in the /Applications/ folder, disguised as an activator for the cracked app. A deceptive Activator window prompts users to enter their administrator password, allowing the malware to run a ‘tool’ executable using the ‘AuthorizationExecuteWithPrivileges’ function. The malware checks for Python 3 on the system and installs it if necessary, appearing as routine app patching.
The malware then contacts a command and control (C2) server at the domain “apple-health[.]org.” The attackers use a novel method to communicate with the C2 server, demonstrating the evolving tactics of cybercriminals in breaching macOS systems’ security.
Source: Medium
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.