Mughthesec

A new family of Mac adware is bound to cause some headaches to infected victims, as the only way to remove it and its secondary payloads is by reinstalling macOS from scratch, according to the expert opinion of Patrick Wardle, Director of Research at Synack and a well-known Mac malware researcher.

This new adware's name is Mughthesec, and according to Thomas Reed, an expert in Mac malware at Malwarebytes, it's a new and improved version of the older OperatorMac family that's been haunting Mac users for quite some time.

Other researchers say they've seen Mughthesec around for at least six months.

Nonetheless, it was a recent tweet that got the top Mac malware security researchers on the trail of Mughthesec, with intent to break it down and see how the adware operates.

Their research uncovered an evolved threat that includes a MAC-address-based anti-VM detection system and is signed by a valid Apple developer certificate, allowing it to pass undetected by Apple's GateKeeper system.

Very few Mac malware is signed by a valid certificate, making Mughthesec quite unique among its peers.

Adware distributed as a Flash Player installer

The adware currently spreads as a file called Player.dmg that installs a legit version of the Adobe Flash Player for Mac, but also an unwanted app named Advanced Mac Cleaner, and two Safari extensions named Safe Finder and Booking.com.

Wardle believes the adware is currently spread via malicious ads and popups on shady websites. "Either way, user-interaction is likely required [for both the download and installation]," says Wardle.

While it's quite easy to remove the adware from infected computers, in a technical breakdown of the Mughthesec infection routine, Wardle points out that other files dropped by the adware on infected hosts allows the malware operator to drop as many secondary adware payloads as he wants.

This is the main reason why Wardle recommends that users who find evidence of a Mughthesec infection should reinstall their Mac, as they never know what and how many other malware variants they might be harboring on their systems.

Related Articles:

macOS App Can Detect Evil Maid Attacks

Apple Releases Security Updates for MacOS, iOS, and Safari

iOS Trustjacking Attack Exposes iPhones to Remote Hacking

Latest macOS Update Breaks Support for Many External Monitors

Apple Releases New APFS File System, Critical Security Updates