New Signed Adware Spotted in the Wild Bypasses Apple’s Gatekeeper to Hijack Macs

Author Photo
Aug 9, 2017
14Shares
Submit

Research released earlier this week revealed that a new variant of an older Mac malware, OperatorMac, has been spotted in the wild. While researchers have called it an “unsophisticated” macOS malware, they confirmed that no anti-virus program or Gatekeeper was able to detect this at the time of their analysis.

The new strain called Mughthesec was signed with a legit Apple developer certificate and hence was able to bypass Gatekeeper. Gatekeeper is Apple’s defense system for macOS that keeps users protected from installing unsigned applications. But, as the latest research proves, even the signed applications can be unsafe for users. Apple has now revoked the associated developer ID with this malware strain.

macos-lock-root-accountRelated[Fixed] Macs Apparently Ship with a “Superuser” Account That Anyone Can Enable Without a Password (Here’s How to Disable It)

“So we’ve got Gatekeeper that’s designed to block unsigned code from the internet to prevent users from getting tricked into installing malware (e.g. fake flash updaters)….which is a great idea. But now most Mac adware/malware is just signed with certs. So gatekeeper is basically a moot point. Normal-everyday users are still going to go around infecting themselves…and things designed to protect them; Gatekeeper/AV etc, really don’t offer any help.” – security researcher

Mughthesec – another Mac malware hiding as Flash Player

Mughthesec masquerades as the infamous and finally-dying Adobe Flash installer. Once in, the adware then asks the victim permission to install other programs, named Advanced Mac Cleaner, Safe Finder, and Booking.com.

Advanced Mac Cleaner, the security researchers wrote, triggered a number of alerts trying to install a persistent agent on the computer and also informs the victim of “several ‘critical’ issues” befitting its name of being a Mac “cleaner.” Mughthesec Mac malware also then tries to connect to three URLs, one of which, Kaspersky reports, is known for malicious behavior, including banking malware.

The reports of Mughthesec adware attacks go back to at least six months. However, as researchers have written in their blog post, it’s not a very sophisticated piece of malware. “It’s likely that this adware is relying on common infection techniques to gain new victims,” Patrick Wardle, the security researcher who seems to have an eye for macOS malware, wrote in the blog post.

macos-sierra-12RelatedData Stealing macOS Trojan Is Back Spreading Through Compromised Software Downloads

If I had to guess its infection vector is likely one (or all?) of the following:

  • fake popups on ‘shady’ websites
  • malicious ads perhaps on legit websites.

So yes, user interaction is required. Once installed, Mughthesec appears to have only one goal and that is of generating revenue, which is “a common tactic of adware” once it hijacks the victim’s browser. Wardle added that the adware can also detect if it’s running inside a virtual machine, making sure to install a legitimate copy of Flash instead of the malware.

“In a nutshell, I think the issue isn’t that anything here is incredible new or exciting; more that existing security / mitigation strategies are rather failing miserably,” Wardle said noting how Mughthesec was able to bypass Gatekeeper and AV programs for over 6 months.

Submit