Pirrit Adware (Adware.Pirrit, Adware: Win32/Pirrit) was detected plaguing Windows systems in 2014. The adware now has a Mac variant, first thought to be nothing out of the ordinary. Security analysis shows that OSX.Pirrit is more complicated and capable of malicious activities. It doesn’t just flood the victim’s browser with ads but could also obtain root access to their system. Overall, Pirrit for Windows may have been a classical adware program injecting intrusive ads into browsers, but the Mac variant is worse.
A vast research dedicated to the persistent malicious adware shows that OSX.Pirrit is not your average program, since it has root-access and persistence capabilities.
Related: Is My Mac Safe from Malware?
The research, conducted by Amit Serper, security expert at Cybereason, also reveals the company behind the adware operations compromising the believed-to-be invincible OS X – TargetingEdge, an Israeli company.
With components such as persistence and the ability to obtain root access, OSX.Pirrit has characteristics usually seen in malware, the researcher writes.
What’s OSX.Pirrit Adware/ Malware All About?
The Cybereason researcher OSX.Pirrit discovered that OSX.Pirrit had the potential to perform a range of malicious activitis.
Attackers could have used the capabilities built into OSX.Pirrit to install a keylogger and steal your log-in credentials or make off with your company’s intellectual property, among many other bad outcomes.
Moreover, all the issues in the Windows variant (revealed in Serper’s separate report on Adware.Pirrit) were fixed in the Mac variant, making it far more capable and dangerous. No leftover code was present in Mac’s variant (present in the threat for Windows), and additionally the Pirrit remover script was broken. However, the operators of the adware/malware left something important (and traceable) behind – to sanitize the tar.gz archive, one of the archives dropped by OSX.Pirrit:
The tar.gz archive format is a Posix format, which means that it also saves all of the file attributes (like owners and permissions) inside of the archive as they were on the computer that the archive was created on. So when I listed the files inside the archive, I could see the user name of the person who created the archive.
TargetingEdge, an Israeli Online Marketing Company, Is Behind OSX.Pirrit
This is how the researcher got to discover the Israeli company believed to be behind the OSX.Pirrit’s operations. The user name found in the archive had a first and last name, and belonged to an executive at TargetingEdge, an Israeli online marketing company. There is no sufficient information about the company on its official websites, besides the unclear “coming soon to a browser near you”.
TargetingEdge is related to two other companies, TLV Media, which makes an ad targeting and ad monetization platform, and Feature Forward, which sells a video platform. According to LinkedIn, all three companies have the same board of directors and the executive who created the OSX.Pirrit variant previously worked for TLV Media.
TargetingEdge is not the first advertising company to be associated with malware and adware campaigns. Security vendor Check Point released a report recently revealing that a Chinese company, Yingmob, was connected to two pieces of mobile malware – YiSpecter for iOS and HummingBad for Android.
Related: The Thin Red Line Between PUPs and Malware
The liaison between ad-supported software (adware) and advertising shouldn’t be too surprising – even big and established companies cooperate with third parties, and often share and sell users’ personal information. Who knows what the real drive of an unknown third party is? In addition, bad coders such as the creators of OSX.Pirrit can easily hide their true nature behind the polished image of an “online marketing company”. It’s a tricky combination of words.