How to steal crypto via DNS

Getting what you pay for: cracked macOS apps fetch malicious code from DNS records to steal crypto

Crypto theft from Exodus and Bitcoin wallets through cracked macOS apps

Using cracked games or apps to spread malware is one of cybercriminals’ oldest tricks. Incredible as it may sound, gullible victims who believe in Robin Hoods and consider downloading cracked software and games from pirating websites to be absolutely safe still exist in 2024. The type of threat itself may be old, but malicious actors keep coming up with new ways of circumventing security on victims’ computers to deliver malware.

We recently discovered a new campaign of this kind targeting Apple computers running newer versions of macOS (13.6 and later) and leveraging certain Domain Name System (DNS) features for downloading malicious payloads. Victims are offered to download cracked versions of popular apps for free. So what’s in store for those who give in to temptation?

Fake activation

After downloading a disk image purportedly containing the cracked app, the victim is prompted to copy two files to the Applications folder: the app itself, and a so-called “activator”. If you just copy and launch the app, it won’t run. According to the manual, the cracked app must be “activated” first. Our analysis found that the activator doesn’t do anything sophisticated: it simply removes several bytes from the beginning of the application executable to make it functional. In other words, the cybercriminals have modified a pre-cracked app to prevent it from running unless it’s “activated” first. To no one’s surprise, the activator has a nasty side-effect: it asks for admin permissions when it runs, and uses those to install a downloader script in the system. The script then downloads from the web a further payload — a backdoor that requests commands from its operators every now and then.

Installation manual, activator window, and prompt for administrator password

Installation manual, activator window, and prompt for administrator password

Linking via DNS

To download the malicious script, the activator employs a tool that’s both exotic and innocent-looking: the Domain Name System (DNS). We wrote about DNS and Secure DNS earlier, but we left out an interesting technical feature of the service. Each DNS record not only links the internet name of a server with its IP address, but can also contain a free-form text description of the server — called a TXT record. This is what the malicious actors exploited by embedding snippets of malicious code within TXT records. The activator downloads three TXT records belonging to a malicious domain and assembles a script from these.

Although seemingly complicated, the setup has a number of advantages. To start with, the activator does nothing particularly suspicious: any web application requests DNS records — this is how any communication session has to begin. Secondly, the malicious actors can easily update the script to modify the infection pattern and the final payload by editing the TXT records of the domain. And finally, removing malicious content from the Web is no easy task due to the distributed nature of the Domain Name System. Internet service providers and companies would find it hard to even detect the violation of their policies because each of these TXT records is just a snippet of malicious code that poses no threat in and of itself.

The final boss

The periodically-running download script allows the attackers to update the malicious payload and perform whatever actions they want on the victim’s computer. At the time of our analysis, they showed interest in stealing crypto. The backdoor automatically scans the victim’s computer for Exodus or Bitcoin wallets, and replaces these with trojanized versions. An infected Exodus wallet steals the user’s seed phrase, and an infected Bitcoin wallet — the encryption key that’s used to encrypt private keys. The latter gives the attackers the ability to sign transfers on behalf of the victim. This is how one can try to save a few dozen dollars on pirated apps — only to lose a vastly larger amount in crypto.

Protecting yourself against an attack on crypto wallets

This isn’t novel but still true: to keep away from this threat and avoid becoming a victim, download apps from official marketplaces only. Before downloading an app from a developer’s website, make sure it’s the genuine item and not from one of many phishing sites.

If you’re thinking of downloading a cracked version of an app, think again. “Scrupulous and trustworthy” pirating sites are about as rare as elves and unicorns.

No matter how highly you think of your computer literacy, caution, and attention to detail, be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled. As for crypto owners, in addition to the above, we suggest reading our detailed instructions on protecting both hot and cold crypto wallets.