Mac malware spreads through malicious results in Google searches

News by Andrew McCorkell

Attack sneaks past antivirus detection and dupes users into bypassing protection from Apple’s built-in macOS security, Intego has discovered.

Mac security software company Intego said that since 12 June a new malware installer had a detection rate among all antivirus engines on VirusTotal of had a 0/60 detection rate among all antivirus engines on VirusTotal.

In a blog post, the firm identified the new malware as unique new variants of OSX/Shlayerand OSX/Bundlore (similar to previous versions of OSX/MacOffers and Mughthesec/BundleMeUp/Adload).

The updated Shlayer malware is delivered as a Trojan horse application on a .dmg disk image, pretending to be an Adobe Flash Player installer.

Sarb Sembhi, CTO & CISO, Virtually Informed said: “This malware seems to have all the important hallmarks criminals like: Mac owners are thought to be more wealthy than other device owners; Mac owners trust their devices and believe that the device will protect them.

"The malware writers have taken previous Mac malware and learnt from it on how they can abuse trust in the right way.”

Sembhi added that if we are to learn from past malware incidents, significant advances in any malware must be seen as a test for worse to come.

“...most development is iterative and malware has not been much different, whether the iteration is from the original author or a copycat, the fact is that the approach, techniques or methods used will be used again,” he said.

“Although we are still in the early days of Mac malware, users shouldn't assume it doesn't exist, or that they won't be affected, and they should pay attention to the messages from the operating system where they are given options to accept opening such apps - Don't! Or the warning will be reality, you will be infected.”

Intego said that VirusBarrier X9 is the first anti-malware solution that is known to detect and remove this malware.

It appears on a victim’s Mac with a “censored” appearance so that after a deceptive Flash Player installer is downloaded, the disk image will mount and display instructions on how to install it.

It gives instructions asking the user to right-click on the flashInstaller and click Open in the dialogue box.

The malware extracts a self-embedded, password-protected .zip archive file as the script runs with a malicious Mac .app bundle.

This is installed in a hidden temporary folder before it quits the Terminal, all within a second.

Now the malware downloads a legitimate, Adobe-signed Flash Player installer and appears genuine, with hidden Mac app able to download any other Mac malware or adware package, depending on what those controlling the servers want to do.

Dan Sloshberg, cyber resilience expert at Mimecast said this type of attack is another great example of how cybercriminals are modifying their attack methodologies to prey on peoples trust of well-known brands – in this case Adobe Flash Player.

Sloshberg said: "Brand spoofing is becoming more commonplace, with our State of Email Security report finding that 51 percent of respondents have seen an increase in the volume of email-based spoofing of well-known internet brands.

"What’s apparent is that defending against malware is a constant battle, hackers are continuously refining malware to get around established security. Despite this continuous threat, our State of Email Security report also found that 39 percent of organisations still do not have a system in place for monitoring and protecting against malware attacks."

He added that the discovery should act as a stark reminder that people should be extremely cautious of installing any software unless they have directly gone onto a reputable software vendor site and done so themselves.

"It’s best to always ignore any prompt requests of this nature that may appear when surfing the web. Individuals may have a flawed sense of security that because they are using a Mac they can regard themselves as safe, however, this attack goes to show that this is no longer accurate.

"It’s also evident that you can’t rely wholly on endpoint AV solutions to protect you from these type of attacks and that more needs to be done.”

The malware spreads while searching Google for the exact titles of YouTube video.

Intego’s research team found Google search results that click through multiple redirection sites to a page that says a Flash Player is out of date.

Fake warnings entice a victim to download what is believed to be a Flash Player update, which in reality is a Trojan horse.

But Martin Jartelius, CSO at Outpost24 said: "This is a rather gross misrepresentation. The threat actor names pages with popular YouTube videos exact names, to become a good match and this points to a malware file instead.

“Google is not at error, and the visitors are fooled to install the malware, so it is a Trojan horse distributed by fooling users, like email phishing this is search results-based phishing. Interesting as such. But Google search is as safe as ever. That is, it helps you find stuff on the Internet but it’s full of bad things. So browse with caution."

Meanwhile, new research from Sophos has shown how the aggressive threat from a cunning version of bundleware is able to drop a total of seven “potentially unwanted applications” (PUAs) under the guise of installing one legitimate application. The research also shows that:

  • Bundlore is the second most prolific threat to MacOS Catalina users - behind nearly seven percent of attacks against the MacOS platform according to Sophos
  • Bundlore has been updated to adapt to recent changes to MacOS and Safari.
  • Clever adware developers are exploiting victims to make money from redirecting users to steal clicks
  • Bundlore also opens victims up to malvertising, using PUAs to inject ads on webpages visited by the victim - in at least one case, this prompted the download of a fake Adobe Flash update.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews