The malware has already infected thousands of Mac computers around the world. According to a blog post by Amit Serper, principal security researcher at Cybereason, while usual adware campaigns enable the attackers to flood a person's computer with ads, this malware not only bombards Macs with adware, it spies on users and runs with the highest user privileges, enabling hackers to leverage this adware to capture personal information on the users, including bank account logins and intellectual property of businesses.
“To my surprise, it's very active. Not only is it still infecting people's Macs, OSX.Pirrit's authors learned from one of their mistakes (They obviously read at least one of our earlier reports),” said Serper.
He added that unlike old versions of OSX.Pirrit that used rogue browser plug-ins or even installed a proxy server on the victim's machine to hijack the browser, this incarnation uses AppleScript, Apple's scripting/automation language.
“And, like its predecessors, this variant is nasty. In addition to bombarding people with ads, it spies on them and runs under root privileges,” he said.
“There is no difference between traditional malware that steals data from its victims and adware that spies on people's Web browsing and target them with ads, especially when those ads are for either fake antivirus programs or Apple support scams,” he said.
“As for OSX.Pirrit malware, it runs under root privileges, creates autoruns and generates random names for itself on each install. Plus, there are no removal instructions and some of its components mask themselves to appear like they're legitimate and from Apple.”
“Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge's legal counsel. The letters demand that we stop referring to TargetingEdge's software as malware and refrain from publishing this report,” he said.
Serper said around 28 other antivirus engines on Virus Total also classify it as such. “The authors of this software went through great lengths to mask themselves and distance themselves from it,” he added. TargetingEdge claimed that it develops and operates a “legitimate and legal installer product for MAC users,” and is not malware and doesn't include any features of malware.
Kelvin Murray, threat research analyst at Webroot, told SC Media UK that users need to report any changes to the search or browser settings of their device to the admin. Users need to be aware that these changes can just be one visible part of a much bigger problem. He adds, “In addition, admins need to take the usual security measures including software updates, AV, and user education. Both the admin and users need to see this as yet another sign that Macs are not “virus proof” as is so commonly assumed and often ignored. There is a need of a stronger focus put onto OSX as security vulnerabilities are becoming more apparent, especially taking into account the event of the MacOS High Sierra.”