Mosyle, a leader in Apple device management and security, has exclusively revealed to 9to5Mac details on a new Mac malware strain, dubbed “JSCoreRunner”. The zero-day threat evaded all detections on VirusTotal at the time of discovery, spreading through a malicious PDF conversion site called fileripple[.]com to trick users into downloading what appears to be a harmless utility.
Free tools that promise quick file conversions for HEIC and WebP files, PDFs, and Word docs have become prolific online as popular go-tos for quickly getting around format compatibility issues. Cybercriminals are taking advantage of this trend by creating fake websites masquerading as legitimate utilities to infect unsuspecting users. It’s actually become so bad that earlier this year, the FBI’s Denver field office issued a warning about an increase in risk of malware and data theft from file conversion sites, like fileripple[.]com.
In some cases, users might not even know they’re infected. According to Mosyle’s research, JSCoreRunner unfolds in two stages. The first installer, FileRipple.pkg, pretends to be a harmless working PDF tool while malicious code runs quietly in the background. Though this package is now blocked by macOS because its developer certificate was later revoked by Apple, the true payload comes in a second installer called Safari14.1.2MojaveAuto.pkg. Being unsigned, it slips past Gatekeeper’s default protections and is not blocked by default.
Once installed, the JSCoreRunner malware specifically targets and hijacks a user’s Chrome browser by altering its search engine settings to unknowingly default to a fraudulent search provider. This opens users up to keylogging, redirected searches to phishing sites, and promoted malicious search results, ultimately resulting in any sort of data and/or financial theft.
More details on the findings from Mosyle’s security research team are in the exclusive press release below.
Press release
Mosyle Discovers New Mac Malware, “JSCoreRunner,” with Zero-Day Detection
Mosyle, a leading name in Apple security, has identified a new and sophisticated Mac malware campaign, dubbed “JSCoreRunner”. The threat, which functions as a Trojan/Adware, is distributed via a fake PDF conversion website, “fileripple[.]com”. At the time of analysis, the malware had zero detections on VirusTotal, making it a “zero-day” threat that can bypass existing security measures. This highlights the importance for Mac admins to be vigilant and proactive in their security posture, as new and evolving threats continue to emerge.
The malware operates in a two-stage process. The first stage is a package named “FileRipple.pkg,” which masquerades as a legitimate PDF tool, to support this the malware launches a process that creates a fake webview, displaying a preview of a legitimate-looking PDF tool while the malicious activity runs silently in the background. This package was signed by a developer whose signature was revoked by Apple, meaning that macOS will block the package on launch. However, the second stage, named “Safari14.1.2MojaveAuto.pkg,” is unsigned and therefore not blocked by default. This second stage is downloaded directly from the same domain and is the one that executes the main malicious payload.
Once the second stage is launched, it performs a series of actions to infect the system. It first sends a request to a command-and-control server to confirm the installation. It then identifies the real user, removes the quarantine attributes from the application, and sets the path to execute the main binary.
... continue reading