More fakeAV for MAC. This time it’s massive

When my colleague Fabio wrote about a Rogueware campaign targeting MAC users, I investigated a bit into the origin of these campaigns. It was interesting how different researchers were getting those samples through searching images on Google. However, different searches always arrive at the same result, leading to the question: How many search terms have been poisoned?

That was an interesting question. But the answer came reading another very interesting research from Unmask Parasites. I recommend you read the post, but in essence it explains how thousands of sites have been infected with a very effective schema that allows the criminals to poison image search results. Could it be that this schema was connected to the fakeAV for MAC?

I contacted the author of the post and he was very nice and helped me in conducting my own research (kudos for Unmask Parasites). Here are the results:

When connecting to an infected site, there is a redirection that is only effective when using a search engine such as Google as referrer in the parameters:


After that you get malicious HTML with obfuscated Javascript code in it; in this case exploiting HPC URLHelp Center URL Validation Vulnerability (CVE-2010-1885). If the exploit is successful, you will be redirected to download a .jar file posing as a videogame:

Finally, the .jar file tries to download an .avi file from another server:


This file is detected as Trojan.Win32.Delf.arsr.
However the interesting thing is what happens when you start the infection chain with a MAC user agent. In this case the schema is different: you get HTML with an obfuscated Javascript with the following result.

Bingo! Here we have our FakeAV campaign. The HTML poses as the result of an antivirus running on a Finder interface. Clicking “Remove All” will download a zip file with a random name from the same server. These files are variants of the fakeAV binaries that my colleague Fabio explained in his post.

In this case the infection is social engineering, as you need to click the button and install the downloaded file. However from previous experience we know how effective this method is. Be careful, this time the campaign is massive and the criminals could change the infection method to launch an exploit, as they are doing in Windows. Protect your MAC, the good times are gone!

More fakeAV for MAC. This time it’s massive

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox