If you have a good reason to believe, and are able to demonstrate, that a file was mistakenly classified, please complete the following form and provide the file details.
If you believe an application, file or URL you encountered is malicious, tell us about it.
Authors: Roee Avni and Oksana Davidov, Researchers @ Airo Labs
Recently we spotted a new malware, in the form of a malicious profile file. The first of its kind on MacOS traffic: DNS hijacker.
This malware inserts a profile file that adds a new network interface as a fake VPN connection layer which later on, modifies the DNS IP address. These settings are being used to hijack Google search queries and redirect them into a monetized search page which hosts the Malware .
Back in May 2019, we analyzed and published a similar malware using a different MITM method, seen here: Unlike most malicious methods, this malware has neither an application nor a plist/agent, only a profile file that modifies the network settings, which makes it much harder to detect.
A short explanation about DNS hijacking:
DNS hijacking, DNS poisoning, and /or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by a type of malware that overrides a computer’s TCP/IP configuration to point at a rogue DNS server under the control of a cyber attacker.
The following URL is offering to update your Flash Player: hxxps://cplander.s3.amazonaws.com/flash_update.html?cid=9059702679477571548
Clicking “Download Flash…”/”Update” (both take the same action) downloads a file called “flashupdate.mobileconfig”.
“.mobileconfig” file is a configuration profile, an XML that specifies device settings and behavior. When users receive or download such a file, they can install it on their device with a double click:
In contrast to known infection vectors this case is special because it’s simply a configuration file that is loaded on the click from download bars on the browsers.
This type of file doesn’t need to be mounted or unpacked on the disk, such as DMG, PKG and other installation files.
Such a method may bypass many AV detections that are running in real time on newly mounted or extracted items from packages.
The user is then asked to fill in their credentials:
Here is some information regarding the profile being installed:
When the installation is completed, a new “VPN Connection” layer is created in the Network Panel and a new DNS of an AWS server is configured: 220.127.116.11
The end results in no actual VPN client or Flash Player being installed , just the new DNS that hijacks Google search queries.
Below you can see how the DNS hijacker is using its abilities to steal search traffic and redirect it to its monetized search page:
Network redirection chain:
Since Catalina launched we are seeing an increase in malicious MitM attempts. This new method is another simple but yet sophisticated way that malware can hijack the user’s traffic for various reasons like advertising, data collection, etc.
We believe that as the pressure from the OS/browsers side will continue to limit the ways an app can take control over the user’s traffic , we will keep on seeing an increase in MitM malwares and new methods for doing so.
As we previously mentioned before, this attack is interesting because it’s simply a configuration file that is loaded on a click from download bars on the browsers themselves and It doesn’t need to be mounted or unpacked on the disk, such as DMG, PKG and others installation files.
Such a method could bypass many AV detections running in real time on newly mounted or extracted items from packages.
To remove this DNS hijacker, the user should go to System Preferences → Profiles and remove this profile by clicking on “-” button:
SHA256: 7318b716a5db5fa097944ba0ed7c1b7587bd50500b115166df50af67a57dcd76 (not in VirusTotal)
DNS IP: 18.104.22.168
About the authors:
Oksana Davidov is a Senior Malware Researcher with experience in Cyber Security field, working with some of the leading organizations in the market. She acquired a deep knowledge of malware techniques and cyber-attack campaigns from defensive and offensive viewpoints. Her experience includes reverse engineering, malware analysis, computer and network forensics, incident response and development.
Roee Avni is a security researcher for over 4 years, with experience of malware analysis, reverse engineering, incident response and development.
Try Airo AV and Airo Web Protection