TXT records could contain miscellaneous domain details that the application might require, so a request like that looked perfectly normal per se. This was a fairly interesting and unusual way of contacting a command-and-control server and hiding activity inside traffic, and it guaranteed downloading the payload, as the response message came from the DNS server. With this URL, the sample made a request to a DNS server as an attempt to get a TXT record for the domain. The program obtained the C2 URL by stringing together words from two hardcoded lists and adding a random sequence of five letters as a third-level domain name. A downloaderĪ completed “patching” kicked off the main payload, with the sample reaching out to its C2 for an encrypted script. The trick was that the malicious actors had taken pre-cracked application versions and added a few bytes to the beginning of the executable, thus disabling it to make the user launch Activator. The app amusingly started working and appeared to have been cracked. Next, it “patched” the downloaded app: tool compared the first 16 bytes of the modified executable with a sequence hardcoded inside Activator and removed them in the case of a match:Ĭhecking the first 16 bytes of the executable Once running, tool checked the system for an installed copy of Python 3, and if it did not find one, it installed that which it had previously copied to /tmp/. To enable this, Activator employed the now-obsolete AuthorizationExecuteWithPrivileges function, which brought up the window with the admin password prompt. The tool executable in the resources folder ran with administrator privileges.The Python installer was copied to the temporary file directory: /tmp/.The main Fat Mach-O file, tellingly named GUI, essentially implemented the PATCH button, clicking which launched two events: A look under the hood revealed an interesting fact right away: the application in the Resources folder somehow contained a Python 3.9.6 installer and an extra Mach-O file with the name tool.