Mac Malware Affects Encrypted Traffic

Monday, October 29, 2018 @ 06:10 PM gHale

New malware focusing on macOS devices can insert ads into encrypted web traffic, researchers said.

OSX.SearchAwesome, discovered by Malwarebytes’ Adam Thomas, ends up delivered through a malicious installer that arrives as a cracked app downloaded via a torrent file. The malware’s installer is a disk image file.

Apple’s macOS Mojave Boosts Security
Apple Fixes Security Holes
MacOS Backdoor Found after 2 Years
Air Gap Alert: Attackers on Prowl

When launched, the image file installs the components invisibly and then requests the user to authorize changes to Certificate Trust Settings and to allow a component called spi to modify the network configuration, said Malwarebytes researcher Thomas Reed in a post.

Mac malware intercepts encrypted web traffic for ad injection

Similar to other adware programs, the spinstall app installs an application and launch agents, one of which executes the spi application. However, it doesn’t keep the app running constantly, which means the user can force it to quit, although the app opens again on the next login, Reed said.

Another agent is designed to monitor for removal, and also to remove the other component of the malware if that happens.

SearchAwesome also installs the open-source program mitmproxy, which was designed to intercept, inspect, modify, and replay web traffic. It abuses the application to target unencrypted and encrypted traffic in a man-in-the-middle (MitM) attack.

Armed with the ability to modify Certificate Trust Settings and using the mitmproxycertificate that is now trusted by the system, the malware gains access to HTTPS traffic, which is normally encrypted between the browser and the website.

The threat injects JavaScript into every web page the victim visits. The script is loaded from a malicious website.

If ends up deleted, the uninstall agent runs a script to disable a proxy the adware set up initially, fetches information from the program’s preferences and sends it to a web server, and removes the preferences and the launch agents.

The script also causes an authentication request to appear four times, Reed said. In addition, the uninstaller leaves behind the mitmproxy software, and the certificate the app uses to access encrypted web traffic.

Leave a Reply

You must be logged in to post a comment.