Browser automation script.
A devious and baffling new strain of malware intercepts and tampers with internet traffic on infected Apple Macs to inject Bing results into users’ Google search results, we’re told.
A report out this month by security house AiroAV details how its bods apparently spotted a software nasty that configures compromised macOS computers to route the user’s network connections through a local proxy server that modifies Google search results.
Normally, malware that squirts ads and other junk into websites as they are visited on Macs typically relies on installing browser or operating system extensions, or injecting AppleScript, to pull off this kind of caper. Not so with this strain, which is probably trying to work around security defenses introduced in macOS Mojave that killed off older man-in-the-middle techniques.
Bad a Bing, badda-boom
In this latest case, it is claimed, the malware masquerades as an installer for an Adobe Flash plugin – delivered perhaps by email or a drive-by download – that the user is tricked into running. This bogus installer asks the victim for their macOS account username and password, which it can use to gain sufficient privileges to install a local web proxy and configure the system so that all web browser requests go through it. That proxy can meddle with unencrypted data as it flows in and out to and from the public internet.
A root security certificate is also added to the Mac’s keychain, giving the proxy the ability to generate SSL/TLS certs on the fly for websites requested. This allows it to potentially intercept and tamper with encrypted HTTPS traffic. This man-in-the-middle eavesdropping works against HTTP websites, and any HTTPS sites that do not employ MITM countermeasures.
When the user opens their browser and attempts to run a Google search on an infected Mac, the request is routed to the local proxy, which injects into the Google results page an HTML iframe containing fetched Bing results for the same query, weirdly enough.
But why, you may ask. It’s believed the Bing results bring in web ads that generate revenue for the malware’s masterminds. “To our understanding, the attackers make money out of ads they are managed to serve via this process,” an Airo spokesperson told us. “It could be Bing ads in this case, or other ads throughout the process.”
The complex steps of the MITM process, say Airo researchers Roy Avni and Oksana Davidov, are a response to Apple’s implementation of security measures in macOS Mojave that lock down browser extensions and AppleScript code use that had previously been used for adware scams. And it’s possible future versions of the malware will snoop on and vandalize websites beside Google.com, of course.
“This aggressive search takeover and injection method seem to be a response to recent changes in macOS Mojave which had deprecated ‘traditional’ methods such as extension installation and browser setting takeovers,” the pair explained. “By using MITM, the attackers can inspect all user’s traffic, including encrypted content, manipulate it and return handled responses back to the user.” ®