Security News > 2024 > January > Cracked macOS apps drain wallets using scripts fetched from DNS records
Hackers are using a stealthy method to deliver to macOS users information-stealing malware through DNS records that hide malicious scripts.
The campaign appears directed at users of macOS Ventura and later and relies on cracked applications repackaged as PKG files that include a trojan.
By using this method, the threat actor was able to hide its activity inside traffic and download the Python script payload disguised as TXT records from the DNS server, which would appear as normal requests.
The reply from the DNS server contained three TXT records, each a base64-encoded fragment of an AES-encrypted message containing the Python script.
Although deceiving users with cracked apps to deliver malware is a common attack avenue, the campaign that Kaspersky analyzed shows that threat actors can are sufficiently ingenious to come up with new ways to deliver the payload, such as hiding it in a domain TXT record on a DNS server.
Charming Kitten hackers use new 'NokNok' malware for macOS. iShutdown scripts can help detect iOS spyware on your iPhone.