A variant of an old adware for Mac was recently discovered, and has sneakily found a way to circumnavigate security platforms by Apple.
Dubbed 'Mughthesec,' the program is an improved version of the OperatorMac malware family, according to Thomas Reed, a Mac malware researcher at Malwarebytes. Components are signed with a legitimate Apple developer certificate, thus being able to pass through Apple's Gatekeeper system, which helps prevent the installation of unsigned applications.
In an analysis by Patrick Wardle, Chief Security Researcher of R&D at Synack, Mughthesec is likely spreading through typical pop-up or malicious ads. It masquerades itself as an Adobe Flash Player installer. If it detects a virtual machine, it will instead get a legitimate copy. Should the opposite be true, it will install other programs such as Advanced Mac Cleaner, Safe Finder, and Booking.com. All three are rogue apps.
Once these are successfully installed, the malware aims to earn as much money as possible from the victim through ads. It will start by changing the homepage of Safari to an attacker-controlled domain. Next, it modifies the search engine of the browser to AnySearch. The Advanced Mac Cleaner will also pester the user with messages saying that there are problems with the system, and that they should pay a fee to fix them.
Wardle has detailed how to manually disinfect a system from the Mughthesec malware on his blog. However, he points out that the downloaded installer application could install as many payload as it wants. "So it's probably best to just reinstall macOS," he concludes.
All things considered, being careful of the files we download over the internet can always go a long way, in order to stay protected from any threats.