Incidents

More fakeAV for MAC. This time it’s massive

When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned?

That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites: http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/. I recommend you read the post, but in essence it explains how thousands of sites have been infected with a very effective schema that allows the criminals to poison image search results. Could it be that this schema was connected to the fakeAV for MAC?

I contacted the author of the post and he was very nice and helped me in conducting my own research (kudos for Unmask Parasites). Here are the results:

When connecting to an infected site, there is a redirection that is only effective when using a search engine such as Google as referrer in the parameters:

hxxp://kdsqXXXXe.ce.ms/in.cgi?2&seoref=www.google.com&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2FmatcXXXXnt.com.do%2F&default_keyword=default

After that you get malicious HTML with obfuscated Javascript code in it; in this case exploiting HPC URLHelp Center URL Validation Vulnerability (CVE-2010-1885). If the exploit is successful, you will be redirected to download a .jar file posing as a videogame:

kniXXXXng.info/games/mario.jar

Finally, the .jar file tries to download an .avi file from another server:

216.XXX.XXX.202/pub/new.avi

This file is detected as Trojan.Win32.Delf.arsr.
However the interesting thing is what happens when you start the infection chain with a MAC user agent. In this case the schema is different: you get HTML with an obfuscated Javascript with the following result.

Bingo! Here we have our FakeAV campaign. The HTML poses as the result of an antivirus running on a Finder interface. Clicking “Remove All” will download a zip file with a random name from the same server. These files are variants of the fakeAV binaries that my colleague Fabio explained in his post.

In this case the infection is social engineering, as you need to click the button and install the downloaded file. However from previous experience we know how effective this method is. Be careful, this time the campaign is massive and the criminals could change the infection method to launch an exploit, as they are doing in Windows. Protect your MAC, the good times are gone!

More fakeAV for MAC. This time it’s massive

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox