The JSCoreRunner malware is a newly identified Mac-targeting threat discovered by Mosyle that employs a sophisticated two-stage infection process to evade detection and compromise user systems. It masquerades as a legitimate PDF conversion tool, distributed via the malicious website fileripple.com. The first stage involves the installation of FileRipple.pkg, which appears as a benign PDF utility but executes malicious code covertly. The second stage installs Safari14.1.2MojaveAuto.pkg, which is designed to bypass Apple's Gatekeeper security mechanism, allowing the malware to persist undetected. Once fully installed, JSCoreRunner specifically targets Google Chrome browsers by altering their search engine settings to redirect users to fraudulent providers. This redirection facilitates further malicious activities such as keylogging, phishing, and potential data theft. The malware leverages multiple attack techniques, including process injection (T1055.001), command and scripting interpreter abuse (T1059.007, T1059.005), user execution (T1204.002), and browser manipulation (T1553.002, T1553.005). The use of a fake PDF tool as a delivery vector and the ability to bypass Gatekeeper protections highlight the malware’s advanced evasion capabilities. Although no known exploits are currently active in the wild, the presence of zero-day elements and the targeting of widely used software components underscore the threat’s potential severity. Indicators of compromise include multiple file hashes and the domain fileripple.com, which should be monitored for detection and response efforts.

For European organizations, the JSCoreRunner malware poses a significant risk primarily to Mac users, particularly those using Google Chrome browsers. The malware’s ability to hijack browser settings and redirect users to fraudulent sites exposes organizations to credential theft, espionage, and data exfiltration risks. This can lead to compromised employee accounts, unauthorized access to corporate resources, and potential financial fraud. The stealthy nature of the infection, including bypassing Gatekeeper and masquerading as legitimate software, increases the likelihood of successful infiltration, especially in environments where Mac endpoint security is less mature or where users have elevated privileges. Given the increasing adoption of Mac devices in European enterprises and public sector organizations, the threat could disrupt operations, damage reputations, and lead to regulatory compliance issues under GDPR if personal data is compromised. The phishing and keylogging capabilities further amplify the risk of lateral movement within networks and broader compromise.

European organizations should implement a multi-layered defense strategy tailored to this threat: 1) Enforce strict application whitelisting and restrict installation of software from untrusted sources, particularly monitoring for packages like FileRipple.pkg and Safari14.1.2MojaveAuto.pkg. 2) Enhance endpoint detection capabilities with behavioral analysis focused on unusual browser configuration changes and Gatekeeper bypass attempts. 3) Deploy network-level protections to block access to known malicious domains such as fileripple.com and monitor DNS queries for suspicious redirections. 4) Educate users about the risks of downloading software from unofficial websites and the dangers of fake utility tools. 5) Regularly audit Chrome browser settings across enterprise devices to detect unauthorized modifications. 6) Apply the latest macOS security updates and consider deploying advanced endpoint protection solutions capable of detecting zero-day evasion techniques. 7) Implement strong multi-factor authentication to mitigate the impact of credential theft. 8) Maintain incident response plans that include forensic analysis of Mac endpoints to quickly identify and remediate infections.