Vědci v oblasti bezpečnosti mají objevil stará verze malwaru Mac, která se objevila ve volné přírodě a podařilo se zbavit strojů Mac, aby generovala zisk pro útočníky.
The attack, dubbed Mughthesec, appears to be a modified strain of a known adware attack known as OperatorMac. However the new version presents an evolved threat for Mac users, as the adware has found a way to appear as a legitimate application and bypass Apple’s built in security systems.
Mughthesec masquerades as an Adobe Flash installer—a common disguise for malicious programs—and installs itself on a victim’s device if they agree to install the illegitimate Flash update.
Once Mughthesec makes its way onto the victim’s machine, it begins to seek permission to download other programs. The adware attempts to install Advanced Mac Cleaner, a malicious app posing as anti-virus software; Safe Finder, an app that hijacks search results in a user’s browser and redirects them to a revenue-generating site for the attacker; and Booking.com, an app for the hotel reservation service.
Luckily, some of the apps the adware attack attempts to install usually set off red flags for third-party security programs. Unfortunately, Mughthesec doesn’t trigger the same response from Apple’s own protections.
Gatekeeper, Apple’s security feature that checks the validity of a program before allowing it to install, is typically the first line of defense against these types of attacks. Mughthesec is able to bypass the protection Gatekeeper typically provides because the adware has acquired—almost certainly illegally—a legitimate Apple developer certificate, which tells Gatekeeper to allow the app to install.
Samotný Mughthec také obchází řadu bezpečnostních balíčků třetích stran. Podle služby VirusTotal, která ukazuje, jaký antivirový software detekuje určité hrozby, žádné antivirové programy v současné době nezapisují instalační program Mughthesec jako škodlivý.
Není to poprvé, kdy se škodlivý software podařilo obejít obranu Gatekeepera. Začátkem tohoto roku byla populární aplikace Mac Ruční brzda byla unesena by attackers who created a corrupted installer that delivered malware to anyone who downloaded it. The malware used a stolen Apple developer certificate to install on the victim’s machine.
While the adware attack might be able to bypass Apple’s typical protections, it is possible to manually remove Mughthesec from an infected device. Security researcher Patrick Wardle stanovil kroky v jeho blogu Objective-See.
First, users will have to open Terminal, a command line program built into all MacOS devices. With Terminal open, users will have to unload the Mughthesec launch agent by entering “launchctl unload ~/Library/LaunchAgents/com.Mughthesec.plist” into the command line.
From here, delete “~/Library/Application Support/com.Mughthesec/Mughthesec” and “~/Library/LaunchAgents/com.Mughthesec.plist” as well as the “Any Search” browser extension if present on the device. While this should do the trick, Wardle advises the only way to make sure the infection is totally wiped out is to reinstall MacOS.