A new family of Mac adware is bound to cause some headaches to infected victims, as the only way to remove it and its secondary payloads is by reinstalling macOS from scratch, according to the expert opinion of Patrick Wardle, Director of Research at Synack and a well-known Mac malware researcher.
This new adware's name is Mughthesec, and according to Thomas Reed, an expert in Mac malware at Malwarebytes, it's a new and improved version of the older OperatorMac family that's been haunting Mac users for quite some time.
Thanks, Patrick sent me the hash too. Looks like a new variant of something we call OperatorMac (though that may be a bad name).— Thomas Reed (@thomasareed) August 8, 2017
Other researchers say they've seen Mughthesec around for at least six months.
I can confirm it’s been there for at least 6 months when I found it on my parents MacBook. I just wiped it but thanks for the write up!— Neal (@iNeal) August 9, 2017
Nonetheless, it was a recent tweet that got the top Mac malware security researchers on the trail of Mughthesec, with intent to break it down and see how the adware operates.
Their research uncovered an evolved threat that includes a MAC-address-based anti-VM detection system and is signed by a valid Apple developer certificate, allowing it to pass undetected by Apple's GateKeeper system.
Very few Mac malware is signed by a valid certificate, making Mughthesec quite unique among its peers.
The adware currently spreads as a file called Player.dmg that installs a legit version of the Adobe Flash Player for Mac, but also an unwanted app named Advanced Mac Cleaner, and two Safari extensions named Safe Finder and Booking.com.
Wardle believes the adware is currently spread via malicious ads and popups on shady websites. "Either way, user-interaction is likely required [for both the download and installation]," says Wardle.
While it's quite easy to remove the adware from infected computers, in a technical breakdown of the Mughthesec infection routine, Wardle points out that other files dropped by the adware on infected hosts allows the malware operator to drop as many secondary adware payloads as he wants.
This is the main reason why Wardle recommends that users who find evidence of a Mughthesec infection should reinstall their Mac, as they never know what and how many other malware variants they might be harboring on their systems.