![]() This report analyzes this latest variant.Īn important note before I discuss my research: In this report, the term installer refers to TargetingEdge’s main product - an installer that installs software like a video player or a PDF reader that’s downloaded from a site. After downloading and analyzing some of the samples, I identified OSX.Pirrit straight away and noticed that many of its methods changed. Just before I wrote this report, one of my OSX.Pirrit-related YARA rules started returning thousands of results, indicating a wave of new infections. These rules allow me to find new variants once they’re released. However, in January 2017, a former TargetingEdge employee, whose name was one of the two found in the dropped files that led us to the company, sent Cybereason his resumé, which clearly establishes a connection between TargetingEdge and OSX.Pirrit.Įvery time I stumble across an interesting malware sample I write YARA rules for it. I'm still researching this program and, in general, constantly track threats, whether it’s sophisticated nation state APTs or “benign adware." Research is how the security community learns about the latest threats and how to stop them.Īs the letter shows, TargetingEdge is trying its best to deny any link to OSX.Pirrit. The authors of this software went through great lengths to mask themselves and distance themselves from it. Twenty-eight other antivirus engines on Virus Total also classify it as such. ![]() Included below is the official response TargetingEdge requested that we include in our report:Ĭybereason isn’t the only security company that identifies OSX.Pirrit as a threat. The letters demand that we stop referring to TargetingEdge's software as malware and refrain from publishing this report. ![]() Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge’s legal counsel. For the past two weeks they've tried to prevent me from publishing this research. My research hasn’t gone unnoticed by TargetingEdge. In addition to bombarding people with ads, it spys on them and runs under root privileges. And, like its predecessors, this variant is nasty. Unlike old versions of OSX.Pirrit that used rogue browser plug-ins or even installed a proxy server on the victim’s machine to hijack the browser, this incarnation uses (or shall I say abuses) AppleScript, Apple's scripting/automation language. Not only is it still infecting people’s Macs, OSX.Pirrit’s authors learned from one of their mistakes (They obviously read at least one of our earlier reports). Curious to see if OSX.Pirrit was still alive and spreading, I recently started to research it again. Now it’s time for chapter three (download a PDF of this report here). And once again, some Pirrit’s servers and distribution websites were taken offline. After investigating it, I discovered that a company called TargetingEdge created OSX.Pirrit and, in July, wrote a report discussing how I figured this out. ![]() But the story doesn’t end there.Ĭheck out some more of Amit's cutting edge research on Operation Soft Cell.Ī few months later, I learned that a new variant of OSX.Pirrit was in the wild. As a result of the report, some of Pirrit’s servers and a few distribution websites were taken down. Ultimately, OSX.Pirrit’s code had the potential to carry out much more malicious activities. While OSX.Pirrit’s main goal was to display ads, the way it did this contains many practices borrowed from traditional malware. With components such as persistence and the ability to obtain root access, OSX.Pirrit has characteristics usually seen in malware. Called OSX.Pirrit, I discovered that it wasn’t your typical adware program that just floods a person’s browser with ads. In April 2016, I published a research report that analyzed a very nasty piece of adware that targets Mac OS X.
0 Comments
Leave a Reply. |