Security researchers have discovered an old version of Mac malware that has reappeared in the wild and managed to hijack Mac machines to generate profit for attackers.
The attack, dubbed Mughthesec, appears to be a modified strain of a known adware attack known as OperatorMac. However the new version presents an evolved threat for Mac users, as the adware has found a way to appear as a legitimate application and bypass Apple’s built in security systems.
Mughthesec masquerades as an Adobe Flash installer—a common disguise for malicious programs—and installs itself on a victim’s device if they agree to install the illegitimate Flash update.
Once Mughthesec makes its way onto the victim’s machine, it begins to seek permission to download other programs. The adware attempts to install Advanced Mac Cleaner, a malicious app posing as anti-virus software; Safe Finder, an app that hijacks search results in a user’s browser and redirects them to a revenue-generating site for the attacker; and Booking.com, an app for the hotel reservation service.
Luckily, some of the apps the adware attack attempts to install usually set off red flags for third-party security programs. Unfortunately, Mughthesec doesn’t trigger the same response from Apple’s own protections.
Gatekeeper, Apple’s security feature that checks the validity of a program before allowing it to install, is typically the first line of defense against these types of attacks. Mughthesec is able to bypass the protection Gatekeeper typically provides because the adware has acquired—almost certainly illegally—a legitimate Apple developer certificate, which tells Gatekeeper to allow the app to install.
Mughthesec itself has also bypassed many third-party security suites. According to VirusTotal, a service that shows what anti-virus software detects certain threats, no anti-virus programs currently register the Mughthesec installer as malicious.
This is not the first time malicious software have managed to bypass the defenses of Gatekeeper. Earlier this year, popular Mac app Handbrake was hijacked by attackers who created a corrupted installer that delivered malware to anyone who downloaded it. The malware used a stolen Apple developer certificate to install on the victim’s machine.
While the adware attack might be able to bypass Apple’s typical protections, it is possible to manually remove Mughthesec from an infected device. Security researcher Patrick Wardle laid out the steps in his blog Objective-See.
First, users will have to open Terminal, a command line program built into all MacOS devices. With Terminal open, users will have to unload the Mughthesec launch agent by entering “launchctl unload ~/Library/LaunchAgents/com.Mughthesec.plist” into the command line.
From here, delete “~/Library/Application Support/com.Mughthesec/Mughthesec” and “~/Library/LaunchAgents/com.Mughthesec.plist” as well as the “Any Search” browser extension if present on the device. While this should do the trick, Wardle advises the only way to make sure the infection is totally wiped out is to reinstall MacOS.