An Israeli company named TargetingEdge is behind the recent wave of Mac adware detected as OSX.Pirrit, Amit Serper, security researcher for Cybereason, explains in a report released today.
Pirrit is the name of a famous piece of Windows adware that appeared around 2014. Serper was the first one to spot a version of this adware targeting Mac users earlier in April, when he released a tell-all report detailing the adware’s nasty behavior.
Unlike the Windows version, which only injected ads in your Web traffic, Pirrit on Mac was far more dangerous because it also gained root privileges on infected Macs and had the capabilities to install other binaries, like a keylogger, for example.
New OSX.Pirrit version contains clues about its author
Serper continued to track the adware’s evolution and even created a script that removes Pirrit from infected systems. Recently, he was approached by a user who complained about the script failing to remove Pirrit from his computer.
The researcher quickly understood that Pirrit’s creators put out a new version that fixed the issues he revealed in his April report, such as the presence of leftover Windows code, but that they also managed to break the Pirrit remover script.
Luckily, Pirrit’s creators forgot to sanitize one of the archives that the adware dropped on infected systems. Serper’s explanation is below:
“ The tar.gz archive format is a Posix format, which means that it also saves all of the file attributes (like owners and permissions) inside of the archive as they were on the computer that the archive was created on. So when I listed the files inside the archive, I could see the user name of the person who created the archive. ”
Pirrit’s creator used his first and last name as the username for the computer on which he created the archive. The name belonged to an executive at TargetingEdge, an Israeli online marketing company. Ironically, the company’s LinkedIn profile states:
“ TargetingEdge offers an mac approved installer to marketing and advertising companies worldwide and the company also provides the unique opportunity to monetize extensive remnant mac traffic and gain additional revenue from an already existing user pool. ”
The same company also shared the same board of directors with two other companies, Feature Forward, a company that sells a video platform, and TLV Media, a company that markets an ad monetization platform.
OSX.Pirrit distributed as adware in legitimate installers from shady download sites
According to Serper, TargetingEdge’s “online marketing […] Mac approved installer” was the Pirrit adware, which the company was offering to download sites that, in turn, bundled it with legitimate Mac software, such as MPlayerX, NicePlayer, and VLC.
Unlike the Windows versions of this adware that provided clear opt-out choices and uninstall options, the Mac version of Pirrit was far more deceptive.
Serper says OSX.Pirrit doesn’t feature an end user license agreement that explains in clear language what Pirrit does, nor does it feature an easy uninstallation process.
The OSX.Pirrit installer buried uninstall instructions deep in the temp folders or inside a hidden user’s home directory, locations where no sane person will look for such details.
Analyzing the archive files downloaded via the April version of OSX.Pirrit, Serper found the same clues, confirming his findings, but this time, the adware was assembled by one of TargetingEdge’s Web developers.
This is the second advertising firm found behind a malware distribution campaign after Check Point released a report that tied Chinese firm Yingmob to the YiSpecter (iOS) and HummingBad (Android) malware.