Mosyle, a leader in Apple device management and security, has exclusively revealed to 9to5Mac details on a new Mac malware strain, dubbed “JSCoreRunner”. The zero-day threat evaded all detections on VirusTotal at the time of discovery, spreading through a malicious PDF conversion site called fileripple[.]com to trick users into downloading what appears to be a harmless utility.
Free tools that promise quick file conversions for HEIC and WebP files, PDFs, and Word docs have become prolific online as popular go-tos for quickly getting around format compatibility issues. Cybercriminals are taking advantage of this trend by creating fake websites masquerading as legitimate utilities to infect unsuspecting users. It’s actually become so bad that earlier this year, the FBI’s Denver field office issued a warning about an increase in risk of malware and data theft from file conversion sites, like fileripple[.]com.
In some cases, users might not even know they’re infected. According to Mosyle’s research, JSCoreRunner unfolds in two stages. The first installer, FileRipple.pkg, pretends to be a harmless working PDF tool while malicious code runs quietly in the background. Though this package is now blocked by macOS because its developer certificate was later revoked by Apple, the true payload comes in a second installer called Safari14.1.2MojaveAuto.pkg. Being unsigned, it slips past Gatekeeper’s default protections and is not blocked by default.
Once installed, the JSCoreRunner malware specifically targets and hijacks a user’s Chrome browser by altering its search engine settings to unknowingly default to a fraudulent search provider. This opens users up to keylogging, redirected searches to phishing sites, and promoted malicious search results, ultimately resulting in any sort of data and/or financial theft.
More details on the findings from Mosyle’s security research team are in the exclusive press release below.
Press release
Mosyle Discovers New Mac Malware, “JSCoreRunner,” with Zero-Day Detection
Mosyle, a leading name in Apple security, has identified a new and sophisticated Mac malware campaign, dubbed “JSCoreRunner”. The threat, which functions as a Trojan/Adware, is distributed via a fake PDF conversion website, “fileripple[.]com”. At the time of analysis, the malware had zero detections on VirusTotal, making it a “zero-day” threat that can bypass existing security measures. This highlights the importance for Mac admins to be vigilant and proactive in their security posture, as new and evolving threats continue to emerge.
The malware operates in a two-stage process. The first stage is a package named “FileRipple.pkg,” which masquerades as a legitimate PDF tool, to support this the malware launches a process that creates a fake webview, displaying a preview of a legitimate-looking PDF tool while the malicious activity runs silently in the background. This package was signed by a developer whose signature was revoked by Apple, meaning that macOS will block the package on launch. However, the second stage, named “Safari14.1.2MojaveAuto.pkg,” is unsigned and therefore not blocked by default. This second stage is downloaded directly from the same domain and is the one that executes the main malicious payload.
Once the second stage is launched, it performs a series of actions to infect the system. It first sends a request to a command-and-control server to confirm the installation. It then identifies the real user, removes the quarantine attributes from the application, and sets the path to execute the main binary.
The primary goal of JSCoreRunner at this time is to hijack a user’s web browser. Specifically, the malware targets Google Chrome profiles on macOS, traversing the ~/Library/Application Support/Google/Chrome/ folder to identify both the default profile and any additional profiles. The malware modifies the search engine settings by creating a new TemplateURL object, which defines the search URL, new tab URL, and display name. This allows the malware to redirect users to a fraudulent search engine. To avoid detection and hide its activities, the malware also passes arguments to Chrome to hide crash logs and the “restore last session” bubble.
For Mac admins looking to add this threat to their security tools, the following hashes have been provided by Mosyle:
FileRipple.pkg – (First Stage) – 3634d1333e958412814806a5d65f1d82536d94cac21ec44b8aba137921ae3709
FileRipple(Mach-O) – 5828ab3abf72c93838a03fb5a9ca271ddbb66ad4b3a950668a22cd8f37ac9b04
FileRipplle(PostInstall) – 6c5e51e7aeb1836d801424f20ffd56734cdc35a75ae3cca88002f94c40949a27
(JSCoreRunner)
Safari14.1.2MojaveAuto.pkg – (Second Stage) – 23186719325c87eb4e17aae0db502e78fb24598e97c8a9c151d7c347e72c0331
Updater(mach-o) – a7a02c6f5073133added3bfc9c67ca385168ba35469752fcddf5e1ed5fcef1ce
Preinstall – 35c64a2111c0b8e728ee82db3d727319720e612e9a3dfe85d445f5b90fc1485a
Postinstall – 84f8e3f996cf907f71ee4823c1bc91a82589c5e4fcd98a9084e51b02ad3515dd
Javascript(Obfuscated) – a86fe93e1a4c451c11b628f622b80770f40254de4a050bbe8e4caae7ef89dfa4
This discovery made by Mosyle’s Security Research team underscores the need for continuous monitoring and a multi-layered security approach to protect against new and sophisticated threats that can bypass standard security checks like notarization and signature validation. Mac admins should also consider user education as a vital component of their defense strategy, reminding users to be cautious of software downloaded from unverified sources.