Stealthy Mac Malware Out of Closet

Monday, August 14, 2017 @ 05:08 PM gHale


With Apple products traditionally not centered in the traditional workplace, attackers limited their malware activities.

But with Macs gain more of a foothold, stealthy malware is beginning the creep in.

RELATED STORIES
Hijacked Domains Led Users to Exploit Kit
Mac Malware-as-a-Service Products Found
Exploit Kit Details Discovered
Exploit Kit Learns Fingerprinting

The latest example called Mughthesec ended up named after the name of the app and the launch agent it installs on the target machine. In short, the malware is an adware attack.

The sample analyzed by security researcher Patrick Wardle was not detected by a Mac AV solution, and it was taken from an infected MacBook, after being spotted by a user.

Wardle obtained the adware’s original installer and tested it on VirusTotal. It did not detect the malware.

Both files ended up signed with the same valid developer certificate, which Apple revoked soon after Wardle’s analysis.

The disk image looks like it was an Adobe Flash installer, and if it detects it is being run in a virtual machine, it will install only a legitimate copy of Flash.

If not, it will reach out to a C&C server, and then ask the victim to install a fake, scammy utility app (Advanced Mac Cleaner), a piece of adware (Safe Finder), and browser hijacker (Booking.com).

The result of the installation is a hijacked Safari homepage (made to point to a search page), an installed Safari extension (AnySearch) that changes the search engine in the Safari address bar, injected ads, and a panic-inducing alert by Advanced Mac Cleaner, which apparently finds a plethora of issues affecting the computer. Naturally, to “fix” them, the user has to pay.

Wardle said the malware ends up delivered to end users via malicious ads and/or pop-ups, and it all points to it being a newer variant of a previously flagged adware dubbed Safe Finder/Operator Mac.

If your computer has been hit with this variant of Mughthesec, delete the unwanted apps and the “Any Search” browser extension, and unload and delete the Mughthesec launch agent (~/Library/LaunchAgents/com.Mughthesec.plist).

“What is Mughthesec? The answer; likely a new variant of the ‘SafeFinder/OperatorMac’ adware. Yes it’s rather unsophisticated macOS malware, but it’s installer is signed (to ‘bypass’ Gatekeeper) and at the time of this analysis no anti-virus engines were detected it….and mac users are being infected,” Wardle said.

“Speaking of infection, due to the fact that the installer is masquerading as Flash Player installer, it’s likely that this adware is relying on common infection techniques to gain new victims,” he said. “If I had to guess its infection vector is likely one (or all?) of the following:
• Fake popups on ‘shady’ websites
• Malicious ads, perhaps on legit websites



Leave a Reply

You must be logged in to post a comment.