Mac Users at Risk – PDF Conversion Tool Exploited by Stealthy ‘JSCoreRunner’ Malware

The zero-day threat stands out for its ability to bypass existing detection tools and macOS security mechanisms, putting users and enterprise networks at risk.

Mac Users at Risk — PDF Tool Exploited

Cybercriminals are increasingly creating fraudulent file conversion tools for popular formats, such as PDF, HEIC, and WebP, exploiting the demand for quick fixes to compatibility issues.

The FBI recently warned about malware and financial fraud linked to such sites, with fileripple.]com acting as a front for the malicious JSCoreRunner campaign. Victims are enticed to download a “useful” utility that, in reality, serves as a delivery vehicle for advanced malware.

The attack unfolds in two stages. First, users download FileRipple.pkg, a package masquerading as a legitimate PDF tool, which deploys a fake app interface using a webview while running malicious code in the background.

Though Apple has since revoked the developer’s certificate, neutralizing the initial installer, the threat persists through the second stage.

Two-Stage Attack Bypasses Security

JSCoreRunner’s actual payload arrives with Safari 14.1.2 Mojave Auto.pkg, an unsigned installer downloaded from the same fake site. Unsigned, it evades default macOS defenses, such as Gatekeeper, thereby granting the malware access to the target system.

Upon installation, it establishes contact with a command-and-control server, confirms the infection, removes quarantine flags from the application, and strategically sets execution paths for its primary binary.

Technically, JSCoreRunner homes in on the user’s Chrome browser profiles, traversing the ~/Library/Application Support/Google/Chrome directory to identify all profiles.

It rewrites search engine configurations via the “TemplateURL” object, redirecting users to fraudulent search providers and promoting malicious search results. Arguments passed to Chrome mask malware activity, suppressing crash reporting and session restoration alerts.

Vigilance and Multi-Layered Defense Needed

The primary impact for victims is browser hijacking, phishing via redirected searches, and the risk of financial and data theft through keylogging and malicious search manipulation.

JSCoreRunner’s evasion of both VirusTotal and Apple’s standard security protocols demonstrates the need for continuous monitoring and comprehensive endpoint security systems.

For defenders, Mosyle provides SHA256 hashes for all known installers and payload variants, facilitating detection and response.

Mac admins should tighten controls, deploy multi-layered protection strategies, and proactively educate users about the dangers of downloading tools from untrustworthy sites.

If left unchecked, JSCoreRunner poses a significant risk to businesses, including data loss, privacy violations, and financial harm. Immediate awareness and action are essential in the face of evolving Mac-specific threats.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Mac Users at Risk – PDF Conversion Tool Exploited by Stealthy ‘JSCoreRunner’ Malware appeared first on Cyber Security News.