- Feb 4, 2016
- 2,520
A variant of an older piece of adware built for Macs called OperatorMac has been seen in the wild, and while like most adware it tries to turn a profit, it also illustrates some defensive shortcomings native to Apple’s ecosystem and the industry.
Components of the new strain, which is called Mughthesec, are signed with a legitimate Apple developer certificate allowing it to bypass macOS’ native Gatekeeper protection that keeps users from installing unsigned applications. Detection on VirusTotal has also been minimal to date, despite some users reporting infections going back as long as six months.
Mughthesec masquerades as an Adobe Flash installer which drops the malware onto the victim’s machine and asks permission to install other programs such as Advanced Mac Cleaner, Safe Finder and Booking[.]com. Advanced Mac Cleaner, Wardle said, triggered a number of alerts as it attempted to install a persistent agent on the computer. The malware also attempts to connect to any of three embedded URLs known for malicious behavior, including banking malware.
“The PUPs are in my opinion, rather shady. I mean they automatically install browser plugins circumventing Apple’s security mechanisms in Safari,” Wardle said. “So sure, they ask for user permission to be installed during install, but then do things that generally the user probably doesn’t want. It’s that gray area between legit code and malware.”
The researcher also said that the malware contains detection capabilities that prevent it from executing if it’s running inside a virtual machine. If it does sense the presence of a VM, it will instead drop a legitimate version of Flash.
The installer and the application itself were both signed with an Apple developer certificate issued to a Quoc Thinh, below. The installer disk image was uploaded to VirusTotal on Aug. 4 and had zero detection from antimalware engines at the time. The binary also has zero detections on VirusTotal; it also contains logic that helps it evade detection by numerous security products, Wardle said.
Once installed, the malware’s goal is profit.
“A common tactic of adware is to hijack the victim’s browser (homepage, inject ads, etc) for financial gain,” Wardle said. “Mughthesec (which is installed when the user ‘agrees’ to install ‘Safe Finder’) appears to conform to goal.”
First, the malware changes the victim’s browser homepage to an attacker-controlled domain.
“If we open Safari; indeed the home page has been hijacked–though in a seemingly innocuous way,” Wardle said, adding that he did not test the sample on Google’s Chrome browser. “It simply displays a rather ‘clean’ search page—though looking at the source, we can see the inclusion of several scripts ‘Safe Finder’ scripts.”
“Yes it’s rather unsophisticated macOS malware, but it’s installer is signed (to ‘bypass’ Gatekeeper) and at the time of this analysis no anti-virus engines were detected it….and mac users are being infected,” Wardle said. “Speaking of infection, due to the fact that the installer is masquerading as Flash Player installer, it’s likely that this adware is relying on common infection techniques to gain new victims. Either way, user interaction is likely required.”