New Mac Malware Dubbed \u2018JSCoreRunner\u2019 Weaponizing PDF Conversion Site to Deliver Malware
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A sophisticated new Mac malware campaign has emerged, targeting users through a deceptive PDF conversion website that conceals a dangerous two-stage payload.<\/p>\n
The malware, dubbed \u201cJSCoreRunner,\u201d represents a significant evolution in macOS threats, demonstrating how cybercriminals are adapting their techniques to bypass Apple\u2019s security measures while maintaining zero detection rates on major security platforms.<\/p>\n
The threat operates through fileripple[.]com, a fraudulent website that masquerades as a legitimate PDF conversion service.<\/p>\n
Users visiting the site are prompted to download what appears to be a helpful utility called \u201cFileRipple.pkg,\u201d which creates the illusion of a genuine PDF tool by launching a fake webview interface.<\/p>\n
This sophisticated deception allows the malware to execute its malicious activities silently while users believe they are interacting with a legitimate application.<\/p>\n
9to5Mac analysts identified<\/a> this campaign as particularly concerning due to its zero-day status at the time of discovery.<\/p>\n The malware had achieved complete evasion across all security vendors on VirusTotal, highlighting the advanced nature of this threat and the challenges facing traditional detection methods.<\/p>\n The malware\u2019s primary objective centers on browser hijacking, specifically targeting Google Chrome installations on infected systems.<\/p>\n JSCoreRunner systematically traverses the ~\/Library\/Application Support\/Google\/Chrome\/ directory to locate both default and additional user profiles, then manipulates search engine configurations through TemplateURL object modifications.<\/p>\n The JSCoreRunner campaign<\/a> employs a carefully orchestrated two-stage deployment strategy designed to circumvent macOS security controls.<\/p>\n The initial stage involves a signed package that was deliberately crafted to appear legitimate, though Apple subsequently revoked the developer\u2019s signature.<\/p>\n This revocation triggers macOS<\/a> Gatekeeper to block the first-stage package, creating a false sense of security for users who might assume the threat has been neutralized.<\/p>\n However, the second stage, \u201cSafari14.1.2MojaveAuto.pkg,\u201d operates as an unsigned payload that downloads directly from the same compromised domain.<\/p>\n This unsigned nature allows it to bypass Gatekeeper\u2019s default blocking mechanisms, as macOS typically focuses signature validation on initially downloaded packages rather than subsequently fetched components.<\/p>\n Upon successful installation, the malware establishes persistence<\/a> by modifying Chrome\u2019s search engine settings, redirecting users to fraudulent search engines while hiding crash logs and session restoration prompts to maintain stealth operations.<\/p>\n The post New Mac Malware Dubbed \u2018JSCoreRunner\u2019 Weaponizing PDF Conversion Site to Deliver Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTwo-Stage Infection Mechanism<\/strong><\/h2>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n