Home > Cyber News > Apple Macs Compromised by Rudimentary Mugthesec Adware

Apple Macs Compromised by Rudimentary Mugthesec Adware

Potentially unwanted programs (PUPs) have been on the rise with Macs in the last few years. The annoying PUPs can be a pretty daunting and at points exacerbating experience. Software as such will not cease to remind you your device has been infected and neither will it stop showing you unwanted ads. Worse comes to worst; they could even hijack your browser.

Related Story: MacRansom and MacSpy Prove that Macs are Not Safe From Malware

Why Are Apple Macs Susceptible to Basic Adware Infections Like Mugthesec?

For a device, as expensive as Apple Macs are, one would expect to get an above average cybersecurity protection from unwanted malicious software, and rightly so. Unfortunately, this may well be the case where Apple’s security defenses are failing the company’s brand image and essentially the user their self. Malicious intentions are not so hard to carry out if an attacker decides to do so, say “sign” a malicious software with a valid Apple developer certificate, in effect bypassing Apple’s Gatekeeper security program at the mere cost of $99. Apple’s XProtect antivirus software falls no short of Gatekeeper in being an easy target to evade, simply by creating a “new” adware or malware.

A recently discovered adware, called Mugthesec – named by Synack research analyst Patrick Wardle, disguises itself as an Adobe Flash Player Installer effectively seeking the user’s authorization for the installation to begin. It is also suggested that the recently found new strain of macOS adware is a new variant of the older Mac adware going by the name of “OperatorMac.” It is an interesting aspect to observe in Apple’s system security; its weaknesses are exposing users to malicious software that can easily be used gain control to a Mac device, even more so if we include the easy bypassing of third-party antivirus software on Macs.

How Does Mugthesec Infect Apple Macs?

You may well wonder how a simple adware can bypass Apple’s security protocols. Well, as it turns out it is fairly simple and straightforward. Mugthesec bypasses Gatekeeper straightforwardly by obtaining an Apple developer certificate. Furthermore, once this process of the infection has been accomplished, Mugthesec proceeds onto downloading additional unwanted programs in the likes of a fake system optimizer, search-engine hijacker as well as a travel-booking app. Other downloads proceed to install themselves as “launch agents” meaning they will start running every time the system is started up.

Although it is a rather unsophisticated macOS malware, Mugthesec has an additional feature of searching for the presence of certain branded antivirus software. Such features are only present in real and true malware hashes on VirusTotal are checked – among the few antivirus software able to detect the adware were ESET and Ikarus. This means that over 50 other antivirus software was not able to detect the malicious code and have or are at risk of letting Mugthesec bypass them without much opposition.

Although Gatekeeper and other antivirus software should take a significant portion of the blame, at fault are also Mac users who are perhaps not as vigilant as they should be. It goes without question that for any adware to infect an Apple Mac user, the individual must give the adware authorization to download, install and execute its payload. However, unlike many of their Windows-using counterparts, Mac users seem to be more easily tricked into giving authorization to such products.

Related Story: Hackers Devise Microsoft Office Infections via CVE-2017-0199 Exploit

How to Tell if Your Apple Mac Has Been Infected by Mugthesec Adware

Apart from being infected with Mugthesec, users may also become infected with some of the programs that the adware proceeds to download on its own. These may include Advanced Mac Cleaner, Booking.com, and Safe Finder. Either way, if you have been infected by any of the programs mentioned above, here are the steps you could take to remove Mugthesec adware manually:

  1. By using the Terminal command-line interface, you need to delete the Mugthesec launch agent by typing: “launchctl unload ~/Library/LaunchAgents/com.Mugthesec.plist”
  2. Following from this, in the Finder, you need to locate and delete “~/Library/ApplicationSupport/com.Mugthesec/Mugthesec”
  3. Again, in Finder locate and delete “~/Library/LaunchAgents/com.Mugthesec.plist”
  4. Finally, go into Safari and delete the “Any Search” extension. Make sure you check all your browser for that extensions and delete it if it is found elsewhere on other browsers.

It is recommended that you do not blindly invest your trust into Gatekeeper who may or may not detect the Mugthesec adware whenever you download something. If, however, you do download software from the internet, you should check the fine print in the user agreement and inspect it thoroughly. Do look out for checked boxes that essentially allow for installation of other software to occur by giving Mugthesec authorization to download them. There is no guarantee that a free software may be overall safe to use, so you must always be cautious when downloading such software.

Heuristic detectors on other antivirus software products may be able to detect the Mugthesec adware by analyzing behavior and code alterations. Nonetheless, this is not a reliable expectation to have as many antivirus software choose to ignore pieces that are not quite considered as malware.

Kristian Iliev

Second year student at The University of Edinburgh studying Social Anthropology and Social Policy. Avid enthusiast of anything to do with IT, films and watch repairs.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree