**New Mac Malware “JSCoreRunner” Identified: A Rising Hazard in File Conversion Frauds**
Mosyle, a frontrunner in Apple device management and security, has revealed a new variant of Mac malware known as “JSCoreRunner.” This zero-day threat, which escaped detection on VirusTotal at the moment of its discovery, circulates through a malignant PDF conversion site labeled fileripple[.]com, deceiving users into downloading what seems to be an innocuous utility.
### The Surge of Faux File Conversion Applications
The surge of complimentary online tools for swift file conversions—like HEIC, WebP, PDFs, and Word documents—has rendered them popular among users confronting format compatibility dilemmas. Nevertheless, cybercriminals take advantage of this phenomenon by establishing misleading websites that impersonate authentic services, resulting in malware infestations. Earlier this year, the FBI’s Denver field office issued a caution regarding the heightened danger of malware and data theft from such platforms, including fileripple[.]com.
### How JSCoreRunner Functions
As per Mosyle’s findings, JSCoreRunner unfolds in a two-phase sequence. The initial installer, FileRipple.pkg, pretends to be a credible PDF tool while malicious operations occur discreetly in the background. Although this package has now been blocked by macOS following the annulment of its developer certificate, the real danger rests in the secondary installer, Safari14.1.2MojaveAuto.pkg. This unsigned package circumvents Gatekeeper’s built-in safeguards and goes unblocked by default.
After installation, JSCoreRunner specifically aims at hijacking a user’s Chrome browser by modifying its search engine configurations to redirect to a fake search provider. This alteration exposes users to keylogging, phishing attacks, and potential significant data and financial losses.
### Insights from Mosyle’s Press Release
Mosyle’s press release emphasizes the intricate nature of the JSCoreRunner malware. It functions via a two-phase procedure:
1. **First Phase (FileRipple.pkg)**: This package postures as a legitimate PDF tool while conducting harmful activities in the background. Although now obstructed by macOS, it initially succeeded in misleading users.
2. **Second Phase (Safari14.1.2MojaveAuto.pkg)**: This unsigned package activates the primary malicious payload, confirming installation with a command-and-control server and altering the user’s Chrome settings to reroute searches.
### Technical Specifications and Hashes
For Mac administrators aiming to enhance their security strategies against this risk, Mosyle has shared the following hashes for recognition:
– **FileRipple.pkg (First Phase)**: 3634d1333e958412814806a5d65f1d82536d94cac21ec44b8aba137921ae3709
– **FileRipple (Mach-O)**: 5828ab3abf72c93838a03fb5a9ca271ddbb66ad4b3a950668a22cd8f37ac9b04
– **FileRipple (PostInstall)**: 6c5e51e7aeb1836d801424f20ffd56734cdc35a75ae3cca88002f94c40949a27
– **Safari14.1.2MojaveAuto.pkg (Second Phase)**: 23186719325c87eb4e17aae0db502e78fb24598e97c8a9c151d7c347e72c0331
### Final Thoughts
The identification of JSCoreRunner by Mosyle’s Security Research team underscores the necessity of ongoing surveillance and a multi-faceted security strategy to safeguard against progressing threats that can elude standard security protocols. Mac administrators are encouraged to inform users about the dangers linked to downloading software from unverified sources, emphasizing the importance of vigilance in the presence of complex cyber threats.
