Mac Malware Injects Ads Into Encrypted Traffic
26.10.2018 securityweek
Apple

A newly discovered piece of malware targeting macOS devices is capable of injecting ads into encrypted web traffic, Malwarebytes security researchers warn.

Detected as OSX.SearchAwesome, the malware is delivered through a malicious installer that arrives as a cracked app downloaded via a torrent file. The threat’s installer is a disk image file that lacks the usual decorations used to make it look legitimate.

When launched, the image file installs the components invisibly and then requests the user to authorize changes to Certificate Trust Settings and to allow a component called spi to modify the network configuration.

Similar to other adware programs out there, the spinstall app installs an application and launch agents, one of which is designed to execute the spi application. However, it doesn’t keep the app running constantly, meaning that the user can force it to quit, although the app opens again on the next login.

Another agent is designed to monitor spi.app for removal, and also to remove the other component of the malware if that happens.

SearchAwesome also installs the open-source program mitmproxy, which was designed to intercept, inspect, modify, and replay web traffic. It abuses the application to target both unencrypted and encrypted traffic in a man-in-the-middle (MitM) attack.

Armed with the ability to modify Certificate Trust Settings and using the mitmproxy certificate that is now trusted by the system, the malware gains access to HTTPS traffic, which is normally encrypted between the browser and the website, thus protected from prying eyes.

The threat injects JavaScript into every web page the victim visits. The script is loaded from a malicious website.

If spi.app is deleted, the uninstall agent runs a script to disable a proxy the adware set up initially, fetches information from the program’s preferences and sends it to a web server, and removes the preferences and the launch agents.

The script also causes an authentication request to appear four times, Malwarebytes reveals. Furthermore, the uninstaller leaves behind the mitmproxy software, and the certificate the app uses to access encrypted web traffic.

The adware seems innocuous at the moment, as it only injects a script to display ads but, given that the script is actually being loaded from an external server, the content could change at any time and phishing pages or malware could be served instead.

“The injected script could be used to do anything, from mining cryptocurrency to capturing browsing data to keylogging and more. Worse, the malware itself could invisibly capture data through the MitM attack, without relying on JavaScript or modifying the web page content,” Malwarebytes points out.

Even if the malware uninstalls itself, the potential for damage is not over, given that it leaves behind the tools it uses to execute the MitM attack. This means that another piece of malware could leverage the tools for their own nefarious purposes.