Kaspersky Labs has found previously unknown malware that enters macOS users’ computers through pirated software and replaces their hot Bitcoin and Exodus wallets with infected versions. According to the researchers, the hackers are still developing the malware in preparation for a new campaign.

Researchers uncovered a “family” of new trojan proxies in December. Hackers were compromising, or “cracking,” legitimate apps that users downloaded the app unauthorized sources along with the malware:

“Cybercriminals […] realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.”

The malware targets macOS versions 13.6 and above. The hackers gain access to a user’s computer security password when the user enters it into an activator box and to the private keys to crypto wallets when the user try open crypto wallets compromised by the malware.

Related: How scammers used FOMO and misleading code to rug 42K victims — Blockfence

The malware itself was being written as researchers traced it, they observed. Although the method is basic, the malware itself was “seriously ingenious,” the researchers said. As a result:

“The final payload was a backdoor that could run any scripts with administrator privileges, and replace Exodus and Bitcoin cryptowallet applications installed on the machine with infected versions that stole secret recovery phrases the moment the wallet was unlocked.”

The unfolding malware campaign can be avoided by using trusted websites, keeping the computer’s operating system updated and using a security solution on it, Kaspersky reminded.

Malware activator box. Source: Securelist by Kaspersky 

Other techniques used by hackers include disguising malware as a legitimate wallet on online stores or fake websites. That activity has become so common that the United States Federal Bureau of Investigation issued a warning about it.

In November, the North Korean Lazarus Group of hackers created malware that targeted macOS users in the decentralized finance community that circulated in Discord groups.

Magazine: Real AI use cases in crypto, No. 3: Smart contract audits & cybersecurity