JSCoreRunner Browser Hijacking Malware via Fake PDF Tool

MITRE Techniques

• [T1204] User Execution – JSCoreRunner is distributed via a fake file-conversion website that tricks users into downloading and installing FileRipple.pkg (“…appears and even work as a real PDF converter but behind the scenes it’s setting up to expose the user.”).
• [T1112] Modify Registry/Configuration (macOS settings) – The malware removes the quarantine attribute and alters system/application settings to allow unsigned payload execution (“…quietly removed the quarantine attribute within macOS…”).
• [T1218] Signed Binary Proxy Execution (bypass) – The campaign uses a revoked-signed first-stage and an unsigned second-stage to bypass macOS protections and Gatekeeper (“This package was signed by a developer whose signature was revoked by Apple… the second stage… is unsigned and therefore not blocked by default.”).
• [T1036] Masquerading – FileRipple.pkg masquerades as a legitimate PDF conversion utility and even displays a fake webview to appear legitimate (“…creates a fake webview, displaying a preview of a legitimate-looking PDF tool while the malicious activity runs silently in the background.”).
• [T1059] Command and Scripting Interpreter – The second-stage sends a request to a command-and-control server and executes binaries to complete payload setup (“It first sends a request to a command-and-control server to confirm the installation. It then identifies the real user, removes the quarantine attributes… and sets the path to execute the main binary.”).
• [T1110] Brute Force / Credential Access (Browser hijacking) – JSCoreRunner modifies Chrome profiles and search engine settings to redirect searches and enable potential credential/data theft (“…modifies the search engine settings by creating a new TemplateURL object… redirect users to a fraudulent search engine.”).