A malware check has done by the security house of AiroAV when a newly-discovered malware interferes with internet traffic on infested Apple Macs and maliciously inserts Bing results into victim’s Google search results. This malware configures compromised macOS computers to modify Google search results through a local proxy server.
This kind of malware is not common in contrast with other malwares that usually injects ads and other junks into websites and relies heavily on installing browser or operating system extensions, or injects AppleScript to execute this kind of illegal activity. This kind of malware tries to work around security defenses introduced in macOS Mojave and facilitates new method for hijacking browsers by installing a MITM proxy.
The behavior of this new malware is quite sneaky. It masquerades itself as a legitimate installer for an Adobe Flash plugin. The user will get this malware through an email or a drive-by download and tricks them into running this illegitimate installer. After the user runs this installer, they will be asked to provide their macOS account username and password. This will be used by this illegitimate installer to have sufficient access to format the system and install a local web proxy so that all web browser requests go through it. That proxy can freely flow in and out, to and from the public internet as this proxy can interfere with unencrypted data.
When the infected Mac is used to run a google search, the request will be forwarded to the local proxy and the HTML iframe containing fetched Bing results for the same query will be injected into the Google results page.
The spokesperson of the AiroAV Labs said that the attackers make money out of ads they are managed to serve via this process. This aggressive search takeover and injection method seem to be a response to recent changes in macOS Mojave which had deprecated traditional methods such as extension installation and browser setting takeovers. By using MITM, the attackers can inspect all user’s traffic, including encrypted content, manipulate it and return handled responses back to the user.
As of now, the security house of AiroAV is currently taking actions for the malware removal.