How to remove Activator malware from infected computers
Written by Tomas Meskauskas on (updated)
What is Activator?
Recently, cracked apps on pirating websites that carried a Trojan proxy were discovered. The bad actors took pre-cracked apps, repackaged them as PKG files, and hid a Trojan proxy along with a script to infect systems after installation. The application named Activator is also involved in the malicious campaign.
More about the campaign involving Activator
The identified samples demonstrated successful execution on macOS Ventura 13.6 and later, indicating a focus on users with newer operating system versions, encompassing both Intel processors and Apple silicon machines.
Within the compromised disk images, a program named Activator and the desired application are present. When users open or mount the image, a window appears with installation instructions. Users are instructed to copy the app to /Applications/ and then initiate Activator.
The Activator features a "PATCH" button. Clicking the "PATCH" button (and entering a password) triggers a chain of events designed for persistent and covert interaction with external servers. In this stage, a Python script is downloaded. This script reveals the malware operators' intentions of executing commands received from the server.
Simultaneously, the script gathers and sends system information, including the operating system version, directories in /Users/, a list of installed applications, CPU type, and the external IP address. Periodic updates can also occur, adjusting metadata like the C2 server details, program GUID, and version.
In the last stage, the script adds a cryptostealer that checks for cryptowallet applications like Exodus and Bitcoin-Qt. If found, it replaces them with infected versions from the specified server. The stolen wallets send data to a malicious server. Even without new commands, the program can still cause harm by stealing users' cryptowallets, compromising their security.
| Name | Activator backdoor |
| Threat Type | Mac malware, Mac virus, Backdoor |
| Detection Names | Arcabit (Trojan.MAC.Generic.D1C91A [many]), Combo Cleaner (Trojan.MAC.Generic.117018), G-Data (Trojan.MAC.Generic.117031), Kaspersky (UDS:DangerousObject.Multi.Generic), Full List Of Detections (VirusTotal) |
| Symptoms | Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
| Distribution Methods | Shady websites, pirated/cracked software |
| Damage | Monetary loss (stolen cryptocurrency) |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Conclusion
In conclusion, the multi-stage malware campaign involves the deployment of various malicious components. Beginning with a downloader, it progresses through stages that include covert communication with a C2 server, execution of arbitrary commands, and the introduction of a cryptostealer targeting popular cryptowallet applications.
The campaign is dynamic, showcasing ongoing development with periodic updates to adapt to the changing environment. The intent appears to be financially motivated, exploiting unsuspecting users by compromising their cryptowallets.
How did malware install on my computer?
The malware distribution unfolds through deceptive means, with initial exposure occurring on pirated websites where cracked applications are shared. Malicious actors utilize these platforms to circulate infected software, initially disguising it as legitimate applications. Users unwittingly download and install these compromised applications, initiating the malware's infiltration process.
Also, users can infect their computers through phishing emails, where clicking on malicious links or opening infected attachments launches malware. Additionally, drive-by downloads from compromised websites pose a risk, automatically installing malware when users visit such sites.
In other cases, users cause computer infections through malicious ads, downloads from P2P networks, third-party downloaders, shady app stores, etc. Using outdated software can also result in having a computer infected.
How to avoid installation of malicious applications?
Regularly update their operating systems, software, and security applications to patch vulnerabilities and defend against the latest threats. Implement reputable antivirus and anti-malware software. Avoid clicking on suspicious links or opening attachments within suspicious emails, and refrain from visiting untrustworthy websites or clicking ads on them.
Download apps from official pages or app stores and avoid obtaining pirated software or cracking tools. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate all threats.
The installer containing Activator:
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
Unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "Activator" and other suspicious applications, and drag them to the Trash. After removing unwanted application(s), scan your Mac for any remaining unwanted components.
Frequently Asked Questions (FAQ)
My computer is infected with Activator malware, should I format my storage device to get rid of it?
Before resorting to formatting your storage device, it's advisable to try using antivirus software like Combo Cleaner. Antivirus tools can often effectively detect and remove malware, providing a less drastic solution while preserving your data.
What are the biggest issues that malware can cause?
Malware can cause significant issues, including compromised system security, data breaches, loss of sensitive information, financial theft, unauthorized access, system instability, data encryption, etc.
What is the purpose of Activator malware?
Activator malware is crafted with the intent of undergoing a sequence of stages, enabling persistent and discreet engagement with external servers. A crypto stealer is introduced during the final stage, which scans for and substitutes existing crypto wallet applications with compromised versions. Subsequently, the pilfered wallet data is sent to a malicious server.
How did Activator malware infiltrate my computer?
Activator malware is distributed using pages hosting pirated applications. It is likely that you unknowingly downloaded and installed such an application and initiated the malware's infiltration process.
Will Combo Cleaner protect me from malware?
Combo Cleaner is effective in detecting and eradicating the majority of known malware infections. It is important to recognize that high-end malware often hides deeply within the system. As a result, running a full system scan is required for successful detection and removal.
Outstanding!
▼ Show Discussion