A unique scareware campaign targeting Mac OS X machines has been discovered, and it’s likely the developer behind the malware has been at it a while since the installer that drops the scareware is signed with a legitimate Apple developer certificate.
“Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks,” said Johannes Ullrich, dean of research of the SANS Institute’s Internet Storm Center, which on Thursday publicly disclosed the campaign. “So far, it apparently hasn’t been revoked by Apple.”
Ullrich said he happened upon the scam while investigating some click-bait links on Facebook, below. One led him to emgn[.]com that he says was likely hosting a malicious ad that served a pop-up warning that his Adobe Flash Player was out of date. Ullrich was using a clean default install of OS X 10.11 in a virtual machine, and Flash was not installed on the image.
If the user clicks on the download button in the popup, the scareware is installed as well as a legitimate and current version of Flash Player.
The legitimate Apple developer certificate probably allowed the scareware to bypass OS X’s Gatekeeper security feature. Gatekeeper is native to OS X and gives the user better control over apps that are allowed to run on a Mac; only apps downloaded from the Apple App Store or signed with an Apple cert are allowed past Gatekeeper. Researcher Patrick Wardle has also demonstrated some Gatekeeper bypasses that don’t require a certificate that have been partially addressed by Apple.
In this case, Ullrich said Apple’s XProtect, built-in antimalware protection on OS X, did not detect the threat either. He added that detection rates on VirusTotal were initially low, but have since improved to complete coverage.
Once the installer drops the scareware, the user is presented with a button to start a scan of their computer for problems. The scan shows likely phony logos from security companies that the tool has been verified. The scan naturally returns a number of viruses, Trojans etc., that need to be addressed, and offers the user the chance to buy a cleaning tool.
Ullrich said the malicious ad likely does browser fingerprinting in order to target OS X users, and the installation of the legitimate version of Flash is done to add some legitimacy to the attack. He said he did not see similar pop-ups on a Windows image.
“I think the initial Flash Update notification is pretty convincing,” Ullrich said. “As far as the scareware that is being installed, personally I find it a bit over the top and not very plausible, but I have talked to people in the past that fell for similar scareware.”