Researchers discovered a Mac OS X variant of the Windows-based Pirrit adware that creates a proxy server on infected Mac computers and injects ads into webpages. According to researchers at Boston-based Cybereason Labs, the adware, dubbed OSX.Pirrit, is mostly benign, serving up just ads, but has the potential to morph into something more sinister.
“Today OSX.Pirrit is considered a low threat,” said Amit Serper, lead Mac OS X and Linux security researcher at Cybereason, who discovered the adware. “But, technically those behind OSX.Pirrit have complete access to targeted systems,” he said in an interview with Threatpost.
“Instead of spamming you with ads, they could have just as easily stolen personal data or taken your company’s secret sauce. Or they could have installed a keylogger to capture the log-in credentials for your bank account,” wrote Serper in a research note posted Wednesday.
Samples of the OSX.Pirrit adware Cybereason has tested have been hidden inside bogus Adobe Flash updates and embedded in software cracks for Microsoft Office 2016 and Adobe Photoshop CC. Cybereason has posted a removal shell script for technical professionals who suspect they may be infected.
“The only way to see that it’s running (other than wondering where all the ads are coming from) is to look at the running process list and examine it closely,” Serper said. “Right now, infections are limited in scope, but we are seeing an acceleration in Mac OS Pirrit variants,” he said.
Typical infections include popup and pop-under ads, embedded banner ads inside websites and hyperlinks inserted into specific words on a web page. One of the ad networks tied to the adware includes Poland-based Red Sky, according to Serper. Red Sky did not reply to an email request for response to this report.
“This adware has been targeting Windows machines for a while, but it is new to Macs: antivirus software just started to pick up this threat a few days ago,” Serper wrote.
Serper said, unlike the Windows version of Pirrit, the Mac OS X version is much more “malicious.” He said, that’s because “OSX.Pirrit takes total control of your machine, while the Windows version just serves ads.”
“OSX.Pirrit didn’t use any exploits to compromise a Mac. It infiltrated machines by using a simple social engineering trick to deceive people into providing their log-in credentials for a fake update, possibly for Flash,” he wrote.
The version of OSX.Pirrit Cybereason has found signed with a valid Apple certificate, allowing it to install on systems without triggering alarms within security features built-in into OS X. The Mac version of Pirrit has also been written using the Qt Framework. For those reasons, Serper suspects, the adware was “probably written by someone with a Linux background who has little knowledge about OS X development,” he said.
“While the lack of malware targeting Mac OS X means there isn’t much Mac malware research available, this doesn’t mean Apple computers are somehow immune to threats,” Serper wrote.
Win32/Pirrit, the Windows version of the adware, was first discovered in Sept. 2014, according to Microsoft. It was predominantly distributed with free software and inserted browser toolbars, injected banner ads and turned words into hyperlink ads.