{
	"id": "06882562-9291-4a7e-a521-2f47e9ad6153",
	"created_at": "2026-04-06T00:13:29.889344Z",
	"updated_at": "2026-04-10T03:20:01.234005Z",
	"deleted_at": null,
	"sha1_hash": "eb878f07b0e77342f4e80901b352c48d349ff89d",
	"title": "New Crossrider variant installs configuration profiles on Macs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420168,
	"plain_text": "New Crossrider variant installs configuration profiles on Macs\r\nBy Thomas Reed\r\nPublished: 2018-04-23 · Archived: 2026-04-05 22:53:01 UTC\r\nA new variant of the Crossrider adware has been spotted that is infecting Macs in a unique way. For the most part,\r\nthis variant is still quite ordinary, doing some of the same old things that we’ve been seeing for years in Mac\r\nadware. However, the use of a configuration profile introduces a unique new method for maintaining persistence.\r\nPersistence is the goal of most malware. After all, what good is it to infect a machine if the malware stops running\r\nas soon as the computer restarts? There are some cases where that can still be useful (ransomware, for example),\r\nbut in most cases, that’s not desired behavior. So malware creators are often stuck using the same old methods of\r\npersistence that are easy to spot. Sometimes, though, they get creative.\r\nInfection method\r\nThis new Crossrider variant doesn’t look like much on the surface. It’s yet another fake Adobe Flash Player\r\ninstaller, looking like the thousands of others we’ve seen over the years.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\r\nPage 1 of 5\n\nOpening the installer results in a familiar install process, with nothing unique about it. In the course of installation,\r\nit dumps a copy of Advanced Mac Cleaner, which commences to announce that it has found problems with your\r\nsystem using Siri’s voice. (No such problems actually exist, of course.) Safari also pops open and then closes\r\nagain suspiciously. This is all very blasé, as far as malware goes.\r\nBut something interesting has happened behind the scenes. After removing Advanced Mac Cleaner, and removing\r\nall the various components of Crossrider that have been littered around the system, there’s still a problem. Safari’s\r\nhomepage setting is still locked to a Crossrider-related domain, and cannot be changed.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\r\nPage 2 of 5\n\nMalicious configuration profile\r\nIt turns out that this is caused by a configuration profile installed on the system by the adware. Configuration\r\nprofiles provide a means for IT admins in businesses to control the behavior of their Macs. These profiles can\r\nconfigure a Mac to do many different things, some of which are not otherwise possible.\r\nIn the case of this Crossrider variant, the configuration profile that is installed forces both Safari and Chrome to\r\nalways open to a page on chumsearch[dot]com. This also prevents the user from changing that behavior in the\r\nbrowser’s settings.\r\nThe profile can be found by opening System Preferences, then clicking the Profiles icon. (If there isn’t a Profiles\r\nicon, you don’t have any profiles installed, which is normal.)\r\nThis profile installs with an identifier of com.myshopcoupon.www, which is not visible in System Preferences.\r\nHowever, the profile can definitely be identified by scrolling through the details and looking for references to\r\nchumsearch[dot]com. This malicious profile can be removed by selecting it and clicking the minus (-) button in\r\nthe bottom left corner of the window.\r\nAttribution\r\nThe chumsearch[dot]com domain is one that has been linked to a number of different adware programs, which can\r\nall be traced back to Crossrider. It is affiliated with one of the most widespread adware campaigns on the Mac,\r\nwith only the infamous Genieo adware having a higher number of detections by Malwarebytes for Mac among all\r\ndetected adware families.\r\nThe chumsearch[dot]com website contains an ad for MacKeeper (the most widely-distributed potentially\r\nunwanted program on macOS, made by Kromtech). Advertising money from Kromtech is undoubtedly one of the\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\r\nPage 3 of 5\n\nways this site pays for itself. Ironically, this adware is also installed alongside another infamous Mac PUP called\r\nAdvanced Mac Cleaner, by PCVARK, a program similar to and competing with MacKeeper.\r\nObviously, not all parts of this chain are affiliated with Crossrider, but the chumsearch domain imposed by the\r\nconfiguration profile definitely is.\r\nIf you’re an IT admin\r\nFor those readers who are managing fleets of Macs and need to check for and/or remove these profiles remotely,\r\nthat’s pretty easy using a few simple shell scripts.\r\nOn macOS 10.12 and earlier, you can use a command like this:\r\nsudo profiles -L\r\nThis works on macOS 10.13 as well, but there is an updated syntax that would be best to use in the future:\r\nsudo profiles list\r\nEither way, if you see an unfamiliar profile, particularly one with a profileIdentifier of com.myshopcoupon.www,\r\nthat profile should be removed. This can be done with the following command on macOS 10.12 and earlier:\r\nsudo profiles -R -p com.myshopcoupon.www\r\nOr, for macOS 10.13:\r\nsudo profiles remove -identifier com.myshopcoupon.www\r\nGone in a Flash\r\nThe good news is that there was nothing particularly sneaky about the method of infection. Fake Adobe Flash\r\nPlayer installers are nothing new, and are easy to avoid. Still, people do continue to fall for such scams.\r\nIf you see a message in your web browser telling you that Adobe Flash Player needs to be updated, it’s almost\r\ncertainly a scam. Do not follow any of the directions provided by these messages, and especially don’t download\r\nand install whatever they tell you to.\r\nIf you do have Flash installed on your Mac, and you believe that it needs an update, you can check for and install\r\nupdates from the Update tab in the Flash Player pane in System Preferences.\r\nIf you want to install Flash for the first time on your Mac, the first thing you should do is think twice. Flash is a\r\ndying technology, and is a constant source of security vulnerabilities. Few sites these days truly require Flash.\r\nHowever, if you really do insist on installing it, you should download it only from Adobe’s website.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\r\nPage 4 of 5\n\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/"
	],
	"report_names": [
		"new-crossrider-variant-installs-configuration-profiles-on-macs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb878f07b0e77342f4e80901b352c48d349ff89d.pdf",
		"text": "https://archive.orkl.eu/eb878f07b0e77342f4e80901b352c48d349ff89d.txt",
		"img": "https://archive.orkl.eu/eb878f07b0e77342f4e80901b352c48d349ff89d.jpg"
	}
}