New Mac malware identified that evades detection through fake PDF conversion tool

SUMMARY :

Mosyle has discovered a new Mac malware strain called 'JSCoreRunner' that evades detection by masquerading as a PDF conversion tool. The malware spreads through a malicious website, fileripple.com, and operates in two stages. The first stage, FileRipple.pkg, appears as a legitimate PDF tool while running malicious code in the background. The second stage, Safari14.1.2MojaveAuto.pkg, bypasses Gatekeeper's protections. Once installed, JSCoreRunner targets Chrome browsers, altering search engine settings to redirect users to fraudulent providers. This exposes users to keylogging, phishing, and potential data theft. The malware's sophisticated approach highlights the need for vigilance and proactive security measures for Mac administrators.

OPENCTI LABELS :

chrome hijacking,apple security,mac,jscorerunner,mosyle,zero-day threat,two-stage infection,fileripple.com,pdf conversion,browser redirection


AI COMMENTARY :

1. The recent discovery of a new Mac malware strain named JSCoreRunner has sent ripples through the Apple security community. Researchers at Mosyle uncovered this zero-day threat masquerading as a PDF conversion tool. The report titled "New Mac malware identified that evades detection through fake PDF conversion tool" highlights how the adversary leverages a bogus application to slip past conventional defenses. By exploiting user trust in a seemingly harmless file format, attackers have added another chapter to the evolving saga of macOS threats.

2. Infection begins when a user visits fileripple.com, a malicious website designed to look like a legitimate PDF conversion service. Once the user downloads FileRipple.pkg, the first stage of the two-stage infection silently executes malicious code in the background. This initial installer appears genuine and performs basic PDF conversion tasks, distracting the user while the real payload remains hidden. The second stage, Safari14.1.2MojaveAuto.pkg, deploys additional components that bypass Gatekeeper’s protections, ensuring the malware installs without triggering macOS’s built-in security warnings.

3. After establishing a foothold, JSCoreRunner focuses on chrome hijacking and browser redirection. Targets are specifically Chrome browsers where search engine settings are altered to route traffic through fraudulent providers. This silent hijacking redirects unsuspecting users to phishing pages or domains set up for data harvesting. In some variants, the malware includes keylogging modules that capture every keystroke, further escalating the risk of credential theft and sensitive data exposure. This blend of browser redirection and keylogging demonstrates a sophisticated approach designed to monetize compromised systems over time.

4. The implications of this attack extend beyond a simple nuisance. Mac administrators must now account for an emerging macOS threat landscape where two-stage infection chains and advanced evasion tactics are becoming commonplace. JSCoreRunner’s ability to bypass Gatekeeper exposes gaps in current defenses and challenges the perception that macOS is inherently more secure. Organizations relying on Macs for critical operations need to reexamine their endpoint security posture and consider solutions capable of detecting stealthy, multi-component malware before it can establish persistence.

5. Mitigation requires a combination of vigilance and layered defenses. Administrators should enforce strict download policies, monitor network traffic for anomalies related to fileripple.com, and deploy endpoint protection platforms that specialize in macOS threat detection. Regular audits of browser settings can help identify unauthorized changes to search engines or extensions. Keeping macOS and security tools up to date will reduce the window of exposure to zero-day threats. Educating users about the risks of downloading tools from unfamiliar sites remains a critical step in reducing the attack surface.

6. The emergence of JSCoreRunner underscores the evolving sophistication of Mac-targeted malware and the importance of proactive security measures. By masquerading as a PDF conversion utility and executing a two-stage infection, this threat demonstrates that attackers are willing to bypass traditional defenses to achieve their objectives. Staying ahead of such techniques demands continuous monitoring, targeted threat intelligence, and an unwavering commitment to comprehensive Apple security strategies. Only through vigilance and adaptability can organizations defend against the next wave of Mac malware.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Mac malware identified that evades detection through fake PDF conversion tool