Currently, Mac malware like macOS Shlayer and macOS Bundlore are being spread by hackers.
Most users when surfing the web realize that there are malicious sites they need to be wary of. But, seeing that the search engines they normally use such as Google and Bing come from reputable companies, many assume all is safe there. This couldn’t be further from the truth.
Turns out that you can encounter harmful search results in all of these engines. This shouldn’t come as surprise since Hackread.com has previously reported on several occasions how hackers manipulate Google Search results to trick users into clicking on malicious sites and download malware.
Such an incident was recently uncovered by cybersecurity firm Intego who has discovered a new MAC malware that not only evades Apple’s own security but also has been completely undetected on VirusTotal. It consists of “unique new variants” of the previously known OSX/Shlayer and OSX/Bundlore malware.
For your information, in January 2019, VeryMal, a group of cybercriminals was identified using Shlayer malware to infect Mac devices. The group employed steganography techniques to prevent detection and embedded malicious code in advertisements and popup images.
The same malware was also identified earlier this year in January installing the “Any Search” bar on the targeted Mac device via Adobe Flash updates to deploy adware so that illegal ads could be displayed. Apart from adware, the malware was also intercepting and collecting browser data from the target device and alter search results to deliver a large number of ads.
On the other hand, macOS Bundlore is adware, a type of malware known for displays unwanted advertisements on infected Mac devices since 2015. It not only uses different techniques to bypass Mac’s security mechanism but also collects personal data from the device and redirect users to malicious sites.
In the ongoing campaign, hackers are using Google searchers to spread these malware. Spread in the form of a trojan horse by posing as a disk image that can be used to install Adobe Flash player; users are redirected to the installation page through malicious google searches.
For example, a user may search for the exact title of a YouTube video and then be greeted warmly with search results that would lead them to a page telling them that their Flash Player needs to be updated. Certain warnings are also given alongside to make it seem more serious and lure the user in.
A screenshot shared by researchers show how the popup looks like:
Once the user proceeds to finally download and mount the disk image file, instructions are displayed detailing how the flash player can be installed.
By following these, the installer app opens where eventually a bash shell script runs in a terminal extracting a “self-embedded, password-protected .zip archive file, which contains a traditional (though malicious) Mac .app bundle.
The researchers further explain in their blog post the subsequent steps that follow to successfully complete the attack:
After installing the Mac app into a hidden temporary folder, it launches the Mac app and quits the Terminal. All this takes place within a split second.
Once the Mac app launches, it downloads a legitimate, Adobe-signed Flash Player installer, so that it can appear to be genuine—but the hidden Mac app is designed to also have the capability to download any other Mac malware or adware package, at the discretion of those controlling the servers to which the hidden Mac app phones home.
In this way, the user’s machine is compromised.
To conclude, search engines like Google always try their best to keep away such search results but as with everything in security, success isn’t guaranteed all the time. Hence, users can lead from the forefront and try to only download files from reputable websites.
For those of you who may have been infected, you can try removing the malware by using Intego’s VirusBarrier if your anti-virus solution hasn’t started to detect it yet.
Abusing Google Service is common
This is not the first time when cybercriminals have abused Google to spread malware. Last year, HackRead exclusively reported how hackers are using Google Adwords and Google Sites to spread malware with a fake version of Google Chrome browser.
Moreover, in 2017, hackers were also found exploiting Google Search results to distribute Zeus Panda Banking trojan using SEO-malvertising and SERP Poisoning.
In October last year, researchers identified a strange and infrequent behavior at Googlebot servers where malicious requests were originating from them. After digging further, it was discovered that hackers were using Googlebots in cryptomining malware attacks.