SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
14 Aug 2017

Mughthesec adware: MacOS attack bypasses Gatekeeper protections

Security researchers have discovered an old version of Mac malware that has reappeared in the wild and managed to hijack Mac machines to generate profit for attackers.

The attack, dubbed Mughthesec, appears to be a modified strain of a known adware attack known as OperatorMac. However the new version presents an evolved threat for Mac users, as the adware has found a way to appear as a legitimate application and bypass Apple’s built in security systems.

Mughthesec masquerades as an Adobe Flash installer—a common disguise for malicious programs—and installs itself on a victim’s device if they agree to install the illegitimate Flash update. Once Mughthesec makes its way onto the victim’s machine, it begins to seek permission to download other programs. The adware attempts to install Advanced Mac Cleaner, a malicious app posing as anti-virus software; Safe Finder, an app that hijacks search results in a user’s browser and redirects them to a revenue-generating site for the attacker; and Booking.com, an app for the hotel reservation service.

Luckily, some of the apps the adware attack attempts to install usually set off red flags for third-party security programs. Unfortunately, Mughthesec doesn’t trigger the same response from Apple’s own protections.

Gatekeeper, Apple’s security feature that checks the validity of a program before allowing it to install, is typically the first line of defense against these types of attacks. Mughthesec is able to bypass the protection Gatekeeper typically provides because the adware has acquired—almost certainly illegally—a legitimate Apple developer certificate, which tells Gatekeeper to allow the app to install.

Mughthesec itself has also bypassed many third-party security suites. According to VirusTotal, a service that shows what anti-virus software detects certain threats, no anti-virus programs currently register the Mughthesec installer as malicious.

This is not the first time malicious software have managed to bypass the defenses of Gatekeeper. Earlier this year, popular Mac app Handbrake was hijacked by attackers who created a corrupted installer that delivered malware to anyone who downloaded it. The malware used a stolen Apple developer certificate to install on the victim’s machine.

While the adware attack might be able to bypass Apple’s typical protections, it is possible to manually remove Mughthesec from an infected device. Security researcher Patrick Wardle laid out the steps in his blog Objective-See.

First, users will have to open Terminal, a command line program built into all MacOS devices. With Terminal open, users will have to unload the Mughthesec launch agent by entering “launchctl unload ~/Library/LaunchAgents/com.Mughthesec.plist” into the command line.

From here, delete “~/Library/Application Support/com.Mughthesec/Mughthesec” and “~/Library/LaunchAgents/com.Mughthesec.plist” as well as the “Any Search” browser extension if present on the device. While this should do the trick, Wardle advises the only way to make sure the infection is totally wiped out is to reinstall MacOS.


Download SafeUM — communicate privately, without advertising and spam.

 

Tags:
information leaks Apple
Source:
IBTimes
1976
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015