New Mac Malware Injects Ads into Encrypted Traffic
Researchers at Malwarebytes have reported on a new piece of malware called OSX.SearchAwesome, which is being distributed via torrents disguised as cracked applications.
The downloaded malware barely attempts to masquerade as a legitimate software installer and is simply a disk image file. If users are not alarmed by this and proceed with the installation, OSX.SearchAwesome will install hidden components and then prompt the victim to confirm changes in the Certificate Trust Settings and allow the spi component to modify the network configuration.
Like other adware, spinstall installs an application and agents, one of which (spid.plist) is designed to launch spi.app. However, it does not ensure the application remains running, so users can force quit it, although it will reopen after the next system login. Another agent, spid-uninstall.plist, monitors for possible malware removal. If removal does occur, it attempts to erase any remaining traces of the malware from the system.
Additionally, OSX.SearchAwesome installs mitmproxy on the infected machine—a tool for intercepting, analyzing, and modifying traffic. The malware uses this tool for man-in-the-middle (MitM) attacks and, armed with permissions to change Certificate Trust Settings, interferes with both unencrypted and encrypted traffic. The malware injects a malicious JavaScript, loaded from a harmful website, into every web page the victim visits.
Researchers note that even if the uninstaller works, the malware still leaves mitmproxy and the certificate used for handling encrypted traffic on the machine.
Malwarebytes experts warn that while OSX.SearchAwesome may not seem very dangerous at first, the fact that the malicious script is loaded from a remote server means that harmless ads could be replaced at any moment with phishing pages or more serious malware.
“The injected script can do anything—from mining cryptocurrency to intercepting browser data, keylogging, and more. Worse, the malware itself can stealthily intercept information using MitM attacks, without relying on JavaScript or traffic modification,” the specialists summarize.