New Mac Adware Mughthesec Will Cause Serious Headaches

Mughthesec

A new family of Mac adware is bound to cause some headaches to infected victims, as the only way to remove it and its secondary payloads is by reinstalling macOS from scratch, according to the expert opinion of Patrick Wardle, Director of Research at Synack and a well-known Mac malware researcher.

This new adware’s name is Mughthesec, and according to Thomas Reed, an expert in Mac malware at Malwarebytes, it’s a new and improved version of the older OperatorMac family that’s been haunting Mac users for quite some time.

Nonetheless, it was a recent tweet that got the top Mac malware security researchers on the trail of Mughthesec, with intent to break it down and see how the adware operates.

View image on Twitter

View image on Twitter

Their research uncovered an evolved threat that includes a MAC-address-based anti-VM detection system and is signed by a valid Apple developer certificate, allowing it to pass undetected by Apple’s GateKeeper system.

Very few Mac malware is signed by a valid certificate, making Mughthesec quite unique among its peers.

Adware distributed as a Flash Player installer

The adware currently spreads as a file called Player.dmg that installs a legit version of the Adobe Flash Player for Mac, but also an unwanted app named Advanced Mac Cleaner, and two Safari extensions named Safe Finder and Booking.com.

Wardle believes the adware is currently spread via malicious ads and popups on shady websites. “Either way, user-interaction is likely required [for both the download and installation],” says Wardle.

While it’s quite easy to remove the adware from infected computers, in a technical breakdown of the Mughthesec infection routine, Wardle points out that other files dropped by the adware on infected hosts allows the malware operator to drop as many secondary adware payloads as he wants.

This is the main reason why Wardle recommends that users who find evidence of a Mughthesec infection should reinstall their Mac, as they never know what and how many other malware variants they might be harboring on their systems.

[Source”indianexpress”]