CYBER NEWS

OSX.Pirrit – the Malware Adware Compromising Macs

mac-malware-osx-stforum
Pirrit Adware (Adware.Pirrit, Adware: Win32/Pirrit) was detected plaguing Windows systems in 2014. The adware now has a Mac variant, first thought to be nothing out of the ordinary. Security analysis shows that OSX.Pirrit is more complicated and capable of malicious activities. It doesn’t just flood the victim’s browser with ads but could also obtain root access to their system. Overall, Pirrit for Windows may have been a classical adware program injecting intrusive ads into browsers, but the Mac variant is worse.

A vast research dedicated to the persistent malicious adware shows that OSX.Pirrit is not your average program, since it has root-access and persistence capabilities.

Related: Is My Mac Safe from Malware?

The research, conducted by Amit Serper, security expert at Cybereason, also reveals the company behind the adware operations compromising the believed-to-be invincible OS X – TargetingEdge, an Israeli company.

With components such as persistence and the ability to obtain root access, OSX.Pirrit has characteristics usually seen in malware, the researcher writes.

What’s OSX.Pirrit Adware/ Malware All About?

The Cybereason researcher OSX.Pirrit discovered that OSX.Pirrit had the potential to perform a range of malicious activitis.

Attackers could have used the capabilities built into OSX.Pirrit to install a keylogger and steal your log-in credentials or make off with your company’s intellectual property, among many other bad outcomes.

Moreover, all the issues in the Windows variant (revealed in Serper’s separate report on Adware.Pirrit) were fixed in the Mac variant, making it far more capable and dangerous. No leftover code was present in Mac’s variant (present in the threat for Windows), and additionally the Pirrit remover script was broken. However, the operators of the adware/malware left something important (and traceable) behind – to sanitize the tar.gz archive, one of the archives dropped by OSX.Pirrit:

The tar.gz archive format is a Posix format, which means that it also saves all of the file attributes (like owners and permissions) inside of the archive as they were on the computer that the archive was created on. So when I listed the files inside the archive, I could see the user name of the person who created the archive.

TargetingEdge, an Israeli Online Marketing Company, Is Behind OSX.Pirrit

This is how the researcher got to discover the Israeli company believed to be behind the OSX.Pirrit’s operations. The user name found in the archive had a first and last name, and belonged to an executive at TargetingEdge, an Israeli online marketing company. There is no sufficient information about the company on its official websites, besides the unclear “coming soon to a browser near you”.

targetingedge-osxpirrit-adware-stforum

TargetingEdge is related to two other companies, TLV Media, which makes an ad targeting and ad monetization platform, and Feature Forward, which sells a video platform. According to LinkedIn, all three companies have the same board of directors and the executive who created the OSX.Pirrit variant previously worked for TLV Media.

TargetingEdge is not the first advertising company to be associated with malware and adware campaigns. Security vendor Check Point released a report recently revealing that a Chinese company, Yingmob, was connected to two pieces of mobile malware – YiSpecter for iOS and HummingBad for Android.

Related: The Thin Red Line Between PUPs and Malware

The liaison between ad-supported software (adware) and advertising shouldn’t be too surprising – even big and established companies cooperate with third parties, and often share and sell users’ personal information. Who knows what the real drive of an unknown third party is? In addition, bad coders such as the creators of OSX.Pirrit can easily hide their true nature behind the polished image of an “online marketing company”. It’s a tricky combination of words.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...