Cyber-security firm Cybereason says it received multiple cease and desist letters from an Israeli company they suspect is allegedly behind the OSX/Pirrit adware strain.

Through the letters, the company tried to block Cybereason from publishing a new report on one of their products. Despite the legal threats, Cybereason published its research earlier today, a report detailing the new tactics employed by OSX/Pirrit, a macOS adware strain.

Third report on OSX/Pirit adware

This is the third report that Cybereason has published on the activities of OSX/Pirrit. All reports were authored by Amit Serper, one of the company's lead researchers.

The first report, published in April 2016, dealt with the first cases of OSX/Pirrit infections, and how the malware was ported from a previous Windows version.

The second report, published in July 2016, named Israeli advertising company TargetingEdge as the authors of OSX/Pirrit. Serper reached this conclusion based on several clues left in the Pirrit samples source code he analyzed.

The third report, published today, deals with the technical changes that have taken place in the OSX/Pirrit code since the last report.

New OSX/Pirrit tricks users into handing over root password

More specifically, the adware does not rely on rogue browser plugins and local proxy servers to inject ads in users' web traffic but uses AppleScript to do so after tricking users into handing over their root passwords.

According to Serper, it does so via TargetingEdge’s main product, an installer that helps users set up various macOS apps (video players, PDF readers, etc.), which asks users for their root password during the installation process.

Cybereason says OSX/Pirrit uses this root password to download other components and run the traffic-injecting AppleScripts with the privileges they need.

TargetingEdge denies is product it's Pirrit

In the spite of Cybereason's damning report, TargetingEdge denied its installer software is the OSX/Pirrit malware, according to a statement it made in one of the cease and desist letters it sent to Cybereason.

TargetingEdge statement

Cybereason reacted by pointing out the fact that 28 other antivirus engines available through VirusTotal also categorize TargetingEdge's installer software as Pirrit or adware.

Furthermore, Serper says that a former TargetingEdge developer who applied for a job with Cybereason bragged about working on Pirrit in a resume he sent in January 2017.

CV of former TargetingEdge employee

On Twitter, Serper was adamant that he was right to classify TargetingEdge's software as adware and malware.

"Adware is malware, people can say whatever they want. It's still code that's spying on you and is a pain in the ass to remove," he said.

This is not the only case where an adware vendor has criticized and threatened legal action against a cyber-security firm for classifying their software as malware. Genieo made similar threats against Malwarebytes in 2013.