Estimated reading time: 8 minute(s)
Apple’s Mac PCs are being hit by a strang new strain of malware which intercepts and tampers with internet traffic to inject Bing results into users’ Google search results.
According to a report from security house AiroAV details however its bods apparently noticed a software package nasty that configures compromised macOS computers to route the user’s network connections through an area proxy server that modifies Google search results.
This Malware is so different from what we have seen out there previously. Normally, malware that push ads and several other junk files into websites visited on Mac initially starts its rampage by first pushing in a browser or OS extensions, or injecting AppleScript, before pulling off its stunts.
But this strain is quite different as it doesn’t depend on any thing. It works alone.
It trys to figure out ways to work around security defenses introduced in macOS Mojave that killed off older man-in-the-middle techniques.
How it Works
From what we’ve learned so far. The malware first shows up as AN installer for AN Adobe Flash plugin – delivered maybe by email or a flash-drive transfer – that the user is tricked into running. This imitative installer asks the victim for his or her macOS account login details.
It will use the details to gain enough privileges to install a local net proxy and reconfigure the system so all requests from web browsers passes through it.
The installed proxy will interfere with unencrypted information because it flows in and out, from and into the general public internet space.
At this stage, the Malware is just getting started.
HTTPS is somehow unhelpful here!
A root security certificate is additionally added to the Mac’s keychain, giving the proxy the access to acquire SSL/TLS certs for websites requested.
This enables it to doubtlessly intercept and tamper with encrypted HTTPS traffic. This man-in-the-middle eavesdropping works against communications protocol websites, and any HTTPS sites that don’t use MITM countermeasures.
Hence, when a typical Mac user opens their browser and tries to run a Google search on an infected macintosh PC, the request is routed to the native proxy installed. The proxy injects AN HTML iframe into the Google results page containing fetched Bing results for the same query searched.
It’s believed that the Bing results usher in net ads that generate revenue for the malware’s masterminds.
The attackers may be cashing out on ads they’ve managed to serve via this method, it might be Bing ads, or an entirely different ad.
The complicated steps taken to take over your Mac using MITM(Man in the middle) method is an updated method in response to Apple’s implementation of security measures in macOS Mojave that locked down browser extensions and AppleScript code use which had helped pave the way for adware makers who preyed on Mac PCs in the past.
By using MITM, the attackers can inspect all user’s traffic, including encrypted content, manipulate it and return handled responses back to the user.