PDF Conversion Site Repurposed for Malware Distribution, Known as 'JSCoreRunner' Mac Attack
A new malware campaign, named JSCoreRunner, has been identified, posing a significant threat to Mac users. This malicious software employs a two-stage deployment strategy to bypass Apple's security measures and achieve its primary objective: browser hijacking, specifically targeting Google Chrome installations on infected systems.
The campaign begins with a signed package that appears legitimate, designed to lure users into downloading it. The package disguises itself as a utility called "FileRipple.pkg," which is falsely marketed as a genuine PDF tool on the fraudulent website fileripple.com.
The unsigned nature of the second stage allows it to bypass macOS Gatekeeper's default blocking mechanisms. Upon successful installation, the JSCoreRunner malware establishes persistence by modifying Chrome's search engine settings, redirecting users to fraudulent search engines.
The malware's sophisticated deception allows it to execute malicious activities silently, while users believe they are interacting with a legitimate application. It also hides crash logs and session restoration prompts to maintain stealth operations.
Notably, JSCoreRunner had achieved complete evasion across all security vendors on VirusTotal at the time of discovery, making it particularly concerning. The hacker or group behind this Mac malware remains unidentified in the available information.
9to5Mac analysts identified this campaign as significant due to its zero-day status at the time of discovery. Apple revoked the developer's signature for the first-stage package, causing macOS Gatekeeper to block it. However, the second stage of the JSCoreRunner campaign, "Safari14.1.2MojaveAuto.pkg," operates as an unsigned payload and downloads directly from the same compromised domain.
This new malware campaign represents a significant evolution in macOS threats, bypassing Apple's security measures. Users are advised to exercise caution when downloading software from unverified sources and to keep their systems updated to protect against such threats.
