A sophisticated new malware campaign targeting macOS users has been identified, leveraging a deceptive PDF conversion website to distribute a two-stage malicious payload. This malware, named JSCoreRunner, signifies a notable advancement in macOS threats, showcasing cybercriminals’ evolving tactics to circumvent Apple’s security protocols while achieving zero detection rates across major security platforms.
Deceptive Distribution via Fileripple[.]com
The attack vector operates through the fraudulent website fileripple[.]com, which masquerades as a legitimate PDF conversion service. Unsuspecting users visiting this site are prompted to download an application named FileRipple.pkg. Upon installation, this package presents a counterfeit webview interface, creating the illusion of a genuine PDF tool. This sophisticated ruse enables the malware to execute its harmful activities discreetly, as users remain unaware of the underlying malicious operations.
Zero-Day Status and Evasion of Detection
Analysts from 9to5Mac have highlighted the severity of this campaign, noting its zero-day status at the time of discovery. Remarkably, the malware achieved complete evasion across all security vendors on VirusTotal, underscoring the advanced nature of this threat and the challenges it poses to traditional detection mechanisms.
Primary Objective: Browser Hijacking
JSCoreRunner’s main goal is to hijack web browsers, with a particular focus on Google Chrome installations on infected systems. The malware systematically navigates through the ~/Library/Application Support/Google/Chrome/ directory to identify both default and additional user profiles. It then manipulates search engine configurations by modifying TemplateURL objects, effectively redirecting users to fraudulent search engines.
Two-Stage Infection Mechanism
The JSCoreRunner campaign employs a meticulously designed two-stage deployment strategy to bypass macOS security controls:
1. Initial Stage: The attack begins with a signed package crafted to appear legitimate. However, Apple has since revoked the developer’s signature. This revocation prompts macOS Gatekeeper to block the first-stage package, potentially leading users to believe the threat has been neutralized.
2. Second Stage: Despite the initial block, the second stage involves an unsigned payload named Safari14.1.2MojaveAuto.pkg, downloaded directly from the same compromised domain. The unsigned nature of this payload allows it to circumvent Gatekeeper’s default blocking mechanisms, as macOS typically focuses signature validation on initially downloaded packages rather than subsequent components.
Upon successful installation, the malware establishes persistence by altering Chrome’s search engine settings. It redirects users to fraudulent search engines while concealing crash logs and session restoration prompts to maintain stealth operations.
Implications and Recommendations
The emergence of JSCoreRunner highlights the increasing sophistication of macOS-targeted malware and the continuous adaptation of cybercriminals to bypass security measures. Users are advised to exercise caution when downloading software from unfamiliar sources and to verify the authenticity of applications before installation. Regular updates to security software and operating systems are crucial in defending against such evolving threats.
