Malware descriptions

Rogueware campaign targeting Mac users

Not only Windows users are a target of bad guys that want to distribute rogueware. Now they are also attacking Mac users using the same and old blackhat SEO techniques, poisoning search results in popular search engines.

During our research about Osama Bin Laden’s death we saw the same malicious domains serving two rogueware applications specific to Mac OSX, called Best Mac Antivirus and MACDefender.

When doing searches the user can be redirected to some malicious domains, like this for example:

So the malicious pages check for: browser agent (it must be Safari), the IP address (only US domains now) and the referrer (if it is Google or other search engine). After these checks the malicious page will show a fake scan screen:

Even though the page is showing a fake Windows screen, the file offered will be a .mpkg: the installer of the rogue application:

For the application to be installed, the user needs to input his root password.

This is the main window of the rogue application:

And the fake scanning:

The malicious application also displays gay-porn website and asks the user to pay US $79,95 to buy it:

As our researcher Kurt Baumgartner pointed out last April this was expected:

While the FakeAv rotation through is not a shocker to security researchers at this point, one interesting domain popped out from the tens of thousands of sub domain fakeav hits over the past day…”antispyware-macbook(dot)co(dot)cc”. This marketing quirk is odd, even for these guys. Does this domain suggest that another Apple based malware is in the works? Possibly.”

Both applications are detected by Kaspersky Antivirus for Mac.

Rogueware campaign targeting Mac users

Your email address will not be published. Required fields are marked *



Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox