More fakeAV for MAC. This time it’s massive

When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned?

That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites. I recommend you read the post, but in essence it explains how thousands of sites have been infected with a very effective schema that allows the criminals to poison image search results. Could it be that this schema was connected to the fakeAV for MAC?

I contacted the author of the post and he was very nice and helped me in conducting my own research (kudos for Unmask Parasites). Here are the results:

When connecting to an infected site, there is a redirection that is only effective when using a search engine such as Google as referrer in the parameters:


After that you get malicious HTML with obfuscated Javascript code in it; in this case exploiting HPC URLHelp Center URL Validation Vulnerability (CVE-2010-1885). If the exploit is successful, you will be redirected to download a .jar file posing as a videogame:

Finally, the .jar file tries to download an .avi file from another server:


This file is detected as Trojan.Win32.Delf.arsr.
However the interesting thing is what happens when you start the infection chain with a MAC user agent. In this case the schema is different: you get HTML with an obfuscated Javascript with the following result.

Bingo! Here we have our FakeAV campaign. The HTML poses as the result of an antivirus running on a Finder interface. Clicking “Remove All” will download a zip file with a random name from the same server. These files are variants of the fakeAV binaries that my colleague Fabio explained in his post.

In this case the infection is social engineering, as you need to click the button and install the downloaded file. However from previous experience we know how effective this method is. Be careful, this time the campaign is massive and the criminals could change the infection method to launch an exploit, as they are doing in Windows. Protect your MAC, the good times are gone!

More fakeAV for MAC. This time it’s massive

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox