• The adware can independently capture invisible data through man-in-the-middle attacks, without relying on the JavaScript.
  • Even if a user removes the adware from an infected computer, the system still remains vulnerable to future man-in-the-middle attacks.

A new Mac malware dubbed OSX. SearchAwesome was recently found active in the wild. The malware can perform various malicious activities such as intercepting encrypted web traffic to inject ads. The Adware poses as a legitimate application and installs a certificate, which leverages the legitimate mitmproxy open-source program. This, in turn, can be used by attackers to perform man-in-the-middle (MiTM) attacks on a targeted computer.

The malware can also inject malicious scripts, which can be used to perform a wide array of malicious actions including mining cryptocurrencies, stealing browsing data, keylogging and more. What is more, the malware is also capable of independently capturing invisible data through MiTM attacks, without relying on malicious JavaScript.

"This adware, at first glance, seems to be fairly innocuous, since it’s just injecting a script that serves up advertisements. Looks can be deceiving, though," Malwarebytes security researchers Adam Thomas and Thomas Reed wrote in a blog. " Since that script is being loaded from a server, that server’s content could change at any time. It could change from serving ads to siphoning off user data or redirecting the user to a phishing site."

Behavioral vector

Unlike other malicious malware that tries to appear legitimate, SearchAwesome has a blank disk image file for the installer. Once this file is opened, the malware installs all the malicious payloads in the background, but only shows the user a request to change the Certificate Trust Settings.

The malware also requests the user to allow modification access to the system's network configuration. It is downloaded by a second stage installer, without the knowledge of the victim.

SearchAwesome installs an open-source program call mitmproxy. According to the researchers, this application can be used by threat actors to intercept, modify and replay encrypted web traffic.

“The software is designed to use this capability to modify web traffic for the purpose of injecting JavaScript into every page," the researchers said.

The malware also injects a script loaded from a malicious website at the end of every webpage loaded on the infected computer said, researchers.

Set up for future MitM attacks

If a victim tries to delete the malware-laced spi.app from an infected computer, the spid-uninstall.plist agent will run many other operations to remain persistent on the computer.

Even if the user removes the malware from the computer, OSX.SearchAwesome sets up the computer with tools and proxies that can be utilized in future MiTM attacks.

"Even once the malware is gone, its potential for damage is not over. By leaving behind the tools it used to execute a MitM attack, it sets up a situation where another piece of malware—perhaps one more nefarious than this one—could take advantage of the presence of those tools to do its own capturing of encrypted web traffic," the researchers added.

Cyware Publisher