According to the company’s blog post, an unknown threat actor took the source code of an app called ResignTool, and modified it to carry the infostealer.
ResignTool is a macOS application used to change the signing information on .IPA files – archive files for iOS and iPad devices. Since it is open-source, the threat actor had no issues changing the app to carry malicious code. In this particular instance, the researchers said, the malware was designed to steal Keychain data.
Distribution via file-sharing services
Keychain is Apple’s password management system. It was first introduced in macOS 8.6, but according to the researchers, it is still in current versions of the operating system. In addition to passwords, it contains other types of sensitive data, such as private keys, certificates and secure notes.
To deliver the malware, the attackers used file-sharing services. According to the report, it is not uncommon for people to look for cracked and otherwise activated versions of commercial software, in order to save a few dollars on software licenses.
However, these sites and their visitors are low-hanging fruit for cybercriminals, who have no problem uploading malicious versions of these programs (or outright impersonating them) to distribute the malware.
To safeguard their endpoints from potential infections, Trend Micro advises users to double-check the legitimacy of a file-sharing website and make sure to avoid downloading anything that sounds even remotely suspicious.
“We also advise users to protect their Apple devices with products and services that safeguard applications and files,” the researchers concluded, suggesting that a strong antivirus, a firewall, or similar cybersecurity solution, might help to minimize the potential risk.
Check out the best ID theft protection services out there