Researchers have linked a variant of the Pirrit adware for Mac OS X to an Israeli online marketing company called TargetingEdge that is still in stealth mode.

Amit Serper, lead Linux and Mac OS X researcher at Cybereason, said that script he wrote to remove the original version of Pirrit from compromised machines had recently stopped working, leading him to investigate what turned out to be a variant.

Pirrit is adware with many capabilities that teeter on the brink of having it classified as malware, including features that maintain persistence on machines and try to attain root access. It not only injects ads, but also hijacks traffic through a proxy server. The latest variant also seeks out and removes competitive adware.

The variant, however, may have been tossed together in a rush following Cybereason’s original research April exposed the adware’s nefarious side, Serper said.

Serper said that he was able to obtain the files for the variant and examine an archive called dit8.tgz that opened the door to exposing Pirrit’s authors.

“The variant’s creators made a crucial mistake that caused their entire operation to topple like a house of cards,” Serper wrote in a report published today. “The tar.gz archive format is a Posix format, which means that it also saves all of the file attributes (like owners and permissions) inside of the archive as they were on the computer that the archive was created on. So when I listed the files inside the archive, I could see the user name of the person who created the archive.”

Some Google searches and searches on LinkedIn led him to executives at TargetingEdge, which according to its LinkedIn profile offers a Mac-approved installer and facilitates the monetization of ad traffic. The company has ties to TLV Media, another Israeli ad targeting and monetization platform provider, and Feature Forward, which sells a video platform. The three companies share the same board of directors and some executives have worked at both places.

Serper said he has not been able to contact TargetedEdge. A request for comment from Threatpost to an email address on the company’s home page bounced back.

“This is a company that makes a product and their way of monetizing it is by selling ad space on people’s computers without the owner knowing it,” Serper told Threatpost.

Serper said Pirrit is spreading to computers worldwide, piggybacking on downloads for legitimate software where its creators removed the original installers and replaced them with an installer that includes software such as media players and the Pirrit adware.

Pirrit was, since 2014, primarily a Windows threat; the Mac OS X version, however has the potential for far more malicious activity, Serper said.

The original version of OSX.Pirrit Cybereason has found was signed with a valid Apple certificate, allowing it to install on systems without triggering alarms within security features built-in into OS X. The Mac version of Pirrit has also been written using the Qt Framework. For those reasons, Serper suspects, the adware was likely written by someone with a Linux background, rather than OS X.

Categories: Malware