New OSX.Pirrit Malware floods Mac devices with ads; spies on users

Security firm Cybereason’s principal security researcher Amit Serper has discovered an invasive OSX.Pirrit adware variant that has been launched to target macOS so that attackers could invade and completely hijack any Mac computer. Already thousands of Mac devices across the globe have been infected with the adware.

This campaign is a bit different from regular adware campaigns, stated Serper, since other such campaigns let the attacker bombard a computer with ads while this particular campaign not only floods the computer with ads but additionally spies on the user. It also allows attackers to capture personal information of the user and claim the highest level user privileges. It steals sensitive personal data including bank account logins and critical financial and business data.

“As for OSX.Pirrit malware, it runs under root privileges, creates autoruns and generates random names for itself on each install. Plus, there are no removal instructions and some of its components mask themselves to appear like they’re legitimate and from Apple,” wrote Serper.

Serper stated that the adware was ‘Very Active’ and still infecting Macs; previous versions of OSX.Pirrit utilized rogue browser plug-ins and also attempted to install a proxy server on the hijacked device but this particular version uses Apple’s scripting/automation language dubbed as AppleScript. Using AppleScript enables the malware to inject JavaScript code into the browser directly, which shows how any adtech firm can exploit “nefarious tactics” present in the malware to protect the malware from being detected by antivirus software.

Serper noted that Israeli firm TargetingEdge has created OSX-Pirrit and the malware authors’ have worked really hard to avoid detection since the firm claims to be involved in the development and operation of “legitimate and legal installer product for Mac users.”

New OSX.Pirrit Malware floods Mac devices with ads; spies on users
TargetingEdge’s profile (Image credit: Cybereason)

Serper also stated that the firm was threatening with legal action for relating it to the malware. Cybereason has been publishing reports since April 2016 in which it has named TargetingEdge [PDF] for this adware and the third report [PDF] was published this week. All the reports were written by Serper and in his latest report [PDF], Serper has referred to the malware as Nasty.

“For the past two weeks, they’ve tried to prevent me from publishing this research. Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge’s legal counsel. The letters demand that we stop referring to TargetingEdge’s software as malware and refrain from publishing this report,” wrote Serper.

Top, featured image via Flickr


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.