BleepingComputer reports that threat actors have leveraged cracked macOS software to facilitate the distribution of information-stealing malware targeting cryptocurrency wallets on devices running on at least macOS Ventura.
Malware infection commences with its placement within the Applications folder in the guise of a cracked app activator, which would then prompt a fraudulent Activator window seeking the admin password, according to a report from Kaspersky. Researchers noted that providing the password would then trigger a "tool" executable.
Attackers also established command-and-control server communications through words from hardcoded lists and random letters as a third-level domain name to conceal malicious activity and enable the download of a TXT record-impersonating Python script payload from the DNS server, which would allow the downloading of another Python script with more advanced threat capabilities.
Further examination of the backdoor script revealed functionality to scan and compromise Bitcoin Core and Exodus wallets, with attackers then obtaining the wallets' passwords, seed phrases, names, and balances.