{
	"id": "876c584b-e0c1-4d15-8606-1f89cfb87bfb",
	"created_at": "2026-04-06T00:09:04.538295Z",
	"updated_at": "2026-04-10T03:20:33.992442Z",
	"deleted_at": null,
	"sha1_hash": "bd02b0ba975d1f36a0a239c9e8b617ee0f3af739",
	"title": "On the Trail of OSX.FairyTale | Adware Playing at Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4374256,
	"plain_text": "On the Trail of OSX.FairyTale | Adware Playing at Malware\r\nBy Phil Stokes\r\nPublished: 2018-09-20 · Archived: 2026-04-05 19:09:08 UTC\r\nSpotted: An adware installer tries its best to avoid detection but leaves behind more clues than intended.\r\nScroll down to find out more!\r\nTrojan installers delivering adware and unwanted applications (PUPs)  have been the most prevalent security\r\nnuisance on the macOS platform in recent years. To date, these have engaged in little more than low-level\r\nscraping of user data and browsing habits, but their potential to be far more threatening is only awaiting the right\r\nmonetary incentive. A recent report on what appeared to be a run-of-the-mill adware infection set us on the trail of\r\nOSX.FairyTale, an adware variant first identified in early 2018 by Malwarebytes researcher Thomas Reed.\r\nFairyTale uses a lot of heavy obfuscation and anti-reversing technology, not unusual for malware, but overkill for\r\nsimple adware. We decided to take a closer look.\r\nOur sample came in the guise of a trojan installer called SpellingChecker.app that was uploaded to VirusTotal in\r\nlate August. The application bundle is signed with a valid Apple Developer ID:  \r\nHowever, that has since been revoked by Apple:\r\nSentinel:$ spctl --verbose=4 --assess --type execute SpellingChecker.app\r\nSpellingChecker.app: CSSMERR_TP_CERT_REVOKED\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 1 of 9\n\nStatic analysis of the installer binary reveals two things of immediate note: an attempt to escalate privileges with\r\nAppleScript, and a lot of base64 encoded strings.\r\ndo shell script \"%@\" with administrator privileges\r\nH0VDQh9SWV4fSFFEREI=\r\nHUJT\r\nH0VDQh9SWV4fX0BVXg==\r\nWe knew things were going to get interesting when our first attempt to decode the base64 only spewed out\r\ngibberish:\r\nSentinel:$ echo H0VDQh9SWV4fSFFEREI= | base64 -D; echo\r\nECBRY^HQDDB\r\nSentinel:$\r\nA quick trip to Hopper showed us the pseudo-code for the decryption method:\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 2 of 9\n\nA fairly-straightforward XOR, which we re-implemented in Objective-C. Looking at the arguments passed into\r\nthe method, the base64 was XOR’d with 0x30 (48 in decimal):\r\nUsing our decoder, we were now able to see what the installer was up to: an XProtect bypass:\r\nUsing xattr to remove Apple’s quarantine bit is a common technique used by researchers. It makes it possible\r\nto run and examine malware on a Mac even after it has been blocked by Apple. Clearly, this trick hasn’t gone\r\nunnoticed among malware authors, either.\r\nFairyTale’s installer had another surprise for us, too. For both safety and convenience, malware researchers make\r\nuse of virtual machines to analyse samples, but FairyTale’s authors didn’t want anyone looking at their code in a\r\nvirtual machine:\r\nDecoded: ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l\r\nAnd they didn’t want to get caught by Legacy AntiVirus software either, as this list of de-obfuscated base64\r\nstrings makes clear:\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 3 of 9\n\nOn execution, the Installer takes a trip to Temp folder where it drops the following compressed file:\r\n/tmp/ot3497.zip\r\nAfter unpacking the zip file, FairyTale then writes and loads a persistence agent and its executable to the\r\nfollowing paths:\r\n~/Library/LaunchAgents/com.sysd.launchserviced.plist\r\n~/Library/Application Support/com.sysd.launchserviced/launchserviced\r\nThe installer uses the xattr to both remove the quarantine bit and the kMDItemWhereFroms bit, which is used by\r\nSpotlight and MDQuery to keep track of where a file has come from. Typically, for downloads, that will be the\r\nURL from which the file was sourced. Fortunately, macOS has other ways of spilling secrets; namely, in this case,\r\nin ~/Library/Caches/com.spelling.checker.Agent sql database:\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 4 of 9\n\nFrom this, we can see that the installer grabbed the launchserviced.zip from\r\nhttp://vision-set.download/files/launchserviced.zip\r\nStealth was undoubtedly on the author’s mind. The name of the executable, launchserviced, is just one letter\r\ndifferent from the name of a real Apple process that runs on every user’s Mac. The highlighted item below is\r\nOSX.FairyTale trying to blend in with legitimate Apple processes:\r\nClearly, FairyTale aims to go unnoticed or to be taken for something legitimate.\r\nAmong the installer’s obfuscated base64 is the template for a property list file:\r\nNotice that it uses placeholders for some of the keys:  label – the name that is typically used for the property list’s\r\nfilename and also the name it gives to launchd when it’s loaded;  StartInterval – which tells launchd how often to\r\nrun the job; and ProgramArguments – an array of commands to pass to the job when it runs.\r\nAgain, the intent is clear: this isn’t a one-off package, but a re-usable installer for any payload the author chooses.\r\nHere’s the actual property list dropped for Spelling.Checker, with a start interval of 3600 seconds, i.e., every hour:\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 5 of 9\n\nThe dropped version used the Program key rather than ProgramArguments key, which tells us that no commands\r\nare passed to the executable on launch in this case. Although the property list structure is correct, it’s an\r\nunnecessary change, as the same effect is achieved by simply passing in the program path as the first argument to\r\nthe ProgramArguments key.\r\nIt seems the coder is a careful programmer who pays attention to details.  Alas, like all villains in a FairyTale, it’s\r\nthe bad guys’ own actions that lead to their downfall, and this story is no different when we look at the\r\nlaunchserviced binary.\r\nAfter all the effort put into avoiding detection and reverse engineering, the author of launchserviced made an\r\nerror, and appears to have accidentally allowed debug entitlements in the binary:\r\nAlthough not currently enforced by Apple, the com.apple.security.get-task-allow entitlement is intended to\r\nallow a debugger to attach to a sandboxed app when it’s running. This is necessary during development to allow\r\nXcode or the low-level debugger (lldb) to launch and inspect the running code. However, the entitlement is\r\nstripped automatically when code is exported for distribution through Xcode’s Organizer. The presence of it here\r\nsuggests that the developer copied the target from the project after building it, or perhaps exported the binary\r\nusing ‘debug’ rather than ‘release’ settings.\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 6 of 9\n\nWe also see this binary is signed with a different developer ID than the revoked one used for the installer.\r\nAlthough it’s not possible to tell whether this signature is revoked, we have reported it to Apple and assume they\r\nare investigating.\r\nWhen executed, the launchserviced appears to have relatively benign behaviour. If Safari is open, it is redirected\r\nthrough several sites and finally lands on online-empire.co :\r\nOther addresses loaded include rdtrck2.com and bizprofits.go2cloud.org ,\r\nrdtrck2.com , bizprofits.go2cloud.org and tracklik.com .\r\nFurther static analysis of the code reveals methods that we’d expect to see in browser redirection:\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 7 of 9\n\nTwo data files are written to the executable’s parent folder with a hard-coded file name prefix\r\n840D2EBF08F9E4C880E5BE6919FB46EA . The files contain a single byte, which in our tests was either ‘1’ or ‘2’.\r\nA Happy Ending?\r\nOSX.FairyTale is an interesting adware variant not because of what it does, but because of the techniques used to\r\nprevent detection and analysis. Considerable effort has been expended in hardening the installer code to prevent\r\nreversal, and launchserviced was clearly named for stealth. Given the rather unadventurous behaviour of the\r\nlaunchserviced code, we can only assume that these efforts were either a proof-of-concept or part of a larger\r\nproject still in development.\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 8 of 9\n\nThe developer signatures and code are now on the radar, but like many a real-life FairyTale, we won’t be surprised\r\nto see this one get retold and adapted for other purposes in the future.\r\nSource: https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nhttps://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/"
	],
	"report_names": [
		"trail-osx-fairytale-adware-playing-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434144,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd02b0ba975d1f36a0a239c9e8b617ee0f3af739.pdf",
		"text": "https://archive.orkl.eu/bd02b0ba975d1f36a0a239c9e8b617ee0f3af739.txt",
		"img": "https://archive.orkl.eu/bd02b0ba975d1f36a0a239c9e8b617ee0f3af739.jpg"
	}
}