This script alone has over 900 lines of code, and it runs a number of other scripts and processes to make changes to Safari and Chrome settings and install browser extensions. This is extracted, and an install.sh script it contains is executed. On older systems, Crossrider downloads the following file: As part of this process, it also makes a copy of Safari that is modified to automatically enable certain Safari extensions when opened, without user actions required.Īlthough these modifications to Safari break its code signature, which can be used to validate that an app has not been modified by someone other than its creator, macOS will still happily run it because of limitations on when these code signatures are actually checked.Īfter this process completes, the copy of Safari is deleted, leaving the real copy of Safari thinking that it's got a couple additional browser extensions installed and enabled. This app obscures the screen, during which time it installs a large number of files. On newer systems, a compressed webtools.app is downloaded and executed using the phished password to run as root: The script next determines the version of the system and performs one set of actions on macOS 10.11 and higher, and another on older systems. The password is returned to the script, in plain text, where it is used repeatedly to install the rest of the components. The sole purpose of this app is to phish the user's password by displaying a fake authentication prompt. This file is expanded into an app named mm-install-macos.app. Next, after conducting brief tracking data collection and uploading it to a server, Crossrider downloads a file from the following URL: Further, should any of the various delivery servers be hacked by a more malicious actor, those scripts could be used to deploy more malicious payloads. Since much of the code that gets executed is downloaded, the exact payload of the adware can be changed at a moment's notice, and can vary depending on all manner of variables, such as where you're located, whether your machine has been seen before, what else is installed, etc. (The name "weknow" comes from one of many websites used by this adware.) This shell script, which kicks off the entire installation process, consists of around 300 lines of code-a fairly modest script that doesn't take long to download.ĭespite its relatively small size, the script opens a deep rabbit hole, downloading and executing a large number of other files. The first stage installer was found from analysis of a "weknow" uninstaller, which contained a link to a shell script. Whatever you call it, it's been around for at least six or seven years, and has evolved fairly frequently during that time. brands=(flashmall webshoppers webshoppy smartshoppy shoptool shoppytool coolshopper easyshopper liveshoppers smart-shoppy easy-shopper bestwebshoppers hotshoppy bestsmartshoppers myshopmate myshopbot surfmate surfbuyer couponizer shoppinizer shopperify mycouponize myshopcoupon mycouponsmart) To demonstrate our meaning, what follows is a detailed analysis of what may be the most sophisticated threat on macOS-called Crossrider-a threat that is "just adware." Mac adware installationĬrossrider, also known as Bundlore or SurfBuyer, is detected by Malwarebytes as Adware.Crossrider. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely. However, adware and PUPs can actually be far more invasive and dangerous on the Mac than "real" malware. "Macs don’t get viruses" is a statement that is still overwhelmingly true. This has led some in the Mac community to dismiss these findings as unimportant, even leading one Mac blogger to write: The remaining 99+ percent of Mac threats are "just" adware and potentially unwanted programs (PUPs). ![]() That figure is less than 1 percent for Macs.įurther, Mac malware is rather unsophisticated overall. ![]() Most notably, more traditional forms of malware, such as ransomware, spyware, and backdoors account for over 27 percent of all Windows threats. As the data revealed in our State of Malware report showed, Mac threats are on the rise, but they are not the same type of threats experienced by Windows users.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |