An old adware variant that has been plaguing Windows computers since September 2014 was seen for the first time infecting Mac users and polluting their Web traffic with all sorts of ads, even if it had the technical capabilities to do more damage if it wished.
Cybereason's security researcher Amit Serper analyzed OSX/Pirrit, and while he wasn't impressed in the beginning, and considered the malware as the work of a sloppy coder, he later uncovered that Pirrit was more dangerous than previously thought.
While the original point of entry on a Mac user's computer is currently unknown, the researcher managed to get his hands on a binary to analyze how the threat worked.
Pirrit was coded in Qt by a "Linux guy"
The Mac version of Pirrit has been written using the Qt Framework, which allows a coder to write applications that work on Mac, Linux, and Windows from the same codebase.
According to Serper's analysis, as soon as the user launches a Pirrit-laced binary, the malware will go through a series of steps. The first one is to generate a random app name, company name, and username based on a list of dictionary words.
Pirrit then uses this random username string to set up a hidden user on the infected Mac, which it hides using a clever trick, both from the login screen and the Mac's Users & Groups settings section. This is done by giving the hidden user the numeric ID 401, and then configuring the user's Mac to hide all the users with an ID below 500.
Pirrit uses Mac's packet filter to redirect traffic to a local proxy
Once this has been done, Pirrit uses Mac's built-in "pf" (packet filter) utility to hijack the user's port 80 Web traffic and redirect it to a local proxy running on port 9882.
All the Mac's Web traffic is rerouted to this proxy, except for the traffic originating from the hidden user, in order to avoid redirection loops.
The adware will then analyze the user's data connections, injecting ads inside Web pages, sending analytics data to the malware's owner, and even changing the homepage of some of the local browsers to sites like trovi.com or search-quick.com.
Here is also where those random app names and company names come into effect, since the proxy is installed under the random app name, in a folder that uses the random company name, to make it look like a more legitimate app.
Pirrit runs with root privileges every time you start your Mac
Once the hidden user setup, the proxy installed and the traffic redirected, the last step is for the malware to add a LaunchDaemon to the infected Mac, to make sure all these services run on the device, with root privileges.
"While this program only delivers ads to a browser, it does use social engineering to get privilege escalation and eventually take total control of your machine," Mr. Serper explains. "And with control of your machine, attackers could have done more than bombard you with ads."
This includes installing keyloggers, banking trojans, stealing personal files, and about everything else they wanted. The good news is that the researcher created a Shell script that can remove Pirrit from infected Macs. The scripts need to run as root.
It is obvious that #osx_pirrit's HUGE installation script was written by a Linux guy. — Amit (@0xAmit) April 4, 2016
15 pages (!!!) on an OS X adware/clickjacker. Not sure if I'm overdoing it or not. #osx_pirrit — Amit (@0xAmit) April 4, 2016
Hooray. #osx_pirrit adds a LaunchDaemons with root permissions that change your network configuration. pic.twitter.com/HmRWGGFAS3 — Amit (@0xAmit) April 4, 2016
Seriously, they could have done everything programatically but NO they had to pipe cat grep and awk together to get the mac's uuid — Amit (@0xAmit) April 3, 2016
That article on #osx_pirrit is going to be really long but on the other hand the removal tool is ready :D — Amit (@0xAmit) April 3, 2016
#osx_pirrit has a different domain for each of the following countries: US,CA,GB,ES,AU,IN,IT,NL ... Interesting... — Amit (@0xAmit) April 3, 2016
Some more windows related strings in #osx_pirrit... So far it looks like a complete mess. Really annoying. pic.twitter.com/VzBM9NsbtZ — Amit (@0xAmit) April 2, 2016
To check if you're infected by #osx_perrit run "dscl . -list /Users UniqueID | grep 401" and hope for no output ;) pic.twitter.com/rXD7jQyy9i — Amit (@0xAmit) March 31, 2016
Yup, #osx_pirrit adds a hidden user with a randomly generated name from a dictionary. Mine was "plateman" :D pic.twitter.com/dXZXZudayz — Amit (@0xAmit) March 31, 2016