![]() TargetingEdge’s website just says it’s “coming soon to a browser near you” and doesn’t give any information about the company. The user name was a person’s first and last name, so, naturally, I plugged that name into Google and learned that the person is an executive at TargetingEdge, an Israeli company that bills itself as an “online marketing” company. The people who created this archive weren't too careful. So when I listed the files inside the archive, I could see the user name of the person who created the archive. The tar.gz archive format is a Posix format, which means that it also saves all of the file attributes (like owners and permissions) inside of the archive as they were on the computer that the archive was created on. ![]() However, the variant’s creators made a crucial mistake that caused their entire operation to topple like a house of cards. Whoever created the variant did their best to avoid leaving evidence that could be traced back to them and lead to their getting caught. The domains were registered as private and there was nothing that linked this adware to a person or company. Until this point, every other lead I followed lead to a dead end. Since I didn’t want to disable my antivirus programs, I decided to list the files inside of the tgz archive. Unpacking the file to see what was inside the archive would have triggered my antivirus program since it would have identified the file as OSX.Pirrit. Dit8.tgz contained the ad-injecting-traffic-hijacking proxy server that’s being installed on the victim’s machine. I discussed it in my previous research report on OSX.Pirrit as well as during my presentation at the LayerOne conference. That means that we have all of the “evil” files (the ad-injecting-traffic-hijacking proxy, configuration files) but without the dropper itself.Īmong the dropped files was an archive file called dit8.tgz. The person who contacted me about the removal script was kind enough to share some files that new variant had dropped on his machine. I was surprised to learn that there was a new variant and that it still works even though some of Pirrit’s servers and a few distribution websites had been taken down after my earlier research was published. The greater point I’m trying to make is that even Macs are vulnerable to threats.įast forward to two weeks ago when I was informed by one of my Twitter followers that the removal script I had created for OSX.Pirrit no longer worked because the program had mutated. Attackers could have used the capabilities built into OSX.Pirrit to install a keylogger and steal your log-in credentials or make off with your company’s intellectual property, among many other bad outcomes. ![]() The catch: OSX.Pirrit didn’t execute any harmful functions but the potential to carry out these much more malicious activities was there. With components such as persistence and the ability to obtain root access, OSX.Pirrit has characteristics usually seen in malware. After dissecting it, I discovered that this wasn’t your typical adware program that just floods a person’s browser with ads. To review, I first encountered this Windows adware port back in April 2016. In this installment, we reveal who’s behind this particularly nasty piece of adware that targets Mac OS X.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |