Microsoft: “Activator” Malware Poses Serious Threat to macOS Users

Microsoft's threat intelligence team has warned about the macOS cryptocurrency wallet stealer known as Activator, after seeing elevated activity.

First detected in December 2023, the malware has seen a notable increase in network activity since March 2024, notes the software giant on a thread on X.

Activator cleverly disguises itself within cracked versions of legitimate software, delivered in DMG Apple Disk Image files. Once an unsuspecting user installs the compromised application, the malware prompts them to grant it elevated privileges.

By doing so, Activator gains the ability to modify system settings critically—specifically, it turns off macOS's Gatekeeper security feature and disables the Notification Center, effectively silencing any alerts that might warn the user of its surreptitious activities.

Following these initial manipulations, Activator initiates a complex infection chain. It downloads and executes various stages of malicious Python scripts from multiple command-and-control (C2) domains. These scripts are subsequently added to the macOS LaunchAgents folder, ensuring their persistence on the infected system.

The culmination of this infection process is particularly dangerous for users of Exodus and Bitcoin-Qt wallet applications. Activator replaces these applications with trojanized versions if they are found on the system. It then begins exfiltrating sensitive data, such as cryptocurrency wallet information, to a C2 domain using HTTP POST requests.

Microsoft recommends that organizations protect their macOS devices by enabling real-time protection, cloud-delivered protection, and potentially unwanted application (PUA) protection in Microsoft Defender for Endpoint. Of course, there are macOS-compatible security solutions from other vendors too, as well as Apple's built-in Gatekeeper and XProtect, which use signature-based detection to block the execution of payloads known to be malicious.

For users and organizations using macOS, it is crucial to avoid downloading and installing software from unverified sources. Regular updates and the use of comprehensive antivirus solutions and firewalls are paramount in defending against malware threats like Activator.