MITM Proxy: New Search Hijack Method on Mojave

Authors: Roee Avni and Oksana Davidov, Researchers @ AiroAV Labs

May 29th, 2019

We have recently discovered a new variant on SearchProxy. While researching and analyzing this sample, we discovered this additional ‘feature’ it now employs, which is facilitating a new method for hijacking browsers by installing a MITM proxy.

In contrast to previous hijacking methods (installing browser and local extensions or AppleScript injections), which became a real problem when macOS Mojave was introduced, this new method is an extremely aggressive way to hijack user’s browsers.

By using MITM, the attackers can inspect all user’s traffic, including encrypted content, manipulate it and return handled responses back to the user.

This post is an initial brief we would like to introduce in order to raise awareness of this emerging threat. A detailed analysis of this new variant will follow in the near future by Airo Labs.

Installation Flow:

The installation starts as a mountable DMG that includes an app bundle of a fake flash player:

The installation process looks pretty standard:

After installation, the following user dialog appears as the user launches Safari:

Following a click on “OK”, the user is asked to enter their credentials:

Installation components:

The installer drops the following bash script: “install_src_srv_kod.sh:

This script fetches a ZIP file from the server, unzip it to /usr/local/srcsrv and copies a plist to the LaunchDaemons directory.

It then loads the plist with “launchctl”. The plist refers to the location of the Macho file “Titanium.Web.Proxy.Examples.Basic.Standard”.


After reboot, additional two scripts are invoked along the installation process:

  1. “change_proxy.sh”: This script changes the machine settings to use an HTTP/S web proxy at localhost:8003

  1. “trush_cert.sh”: This script installs a new trusted SSL certificate to keychain:

The MITM Proxy that being installed is an open source proxy called ‘Titanium Web Proxy’ (https://github.com/justcoding121/Titanium-Web-Proxy) – A cross-platform asynchronous HTTP(S) proxy server in C# which can run on macOS using MONO framework.

Once installed, we can observe that all browsers traffic go through Titanium, which is listening on port 8003:


Looking at payload content we can see a connection to https://www.google.com goes thru the local proxy instead of directly to Google:

In the proxy, the SSL connection is terminated (using the Certificate installed earlier) and the proxy can see the HTTP request in plaintext. It fetches the site from Google on the user’s behalf and then modifies it (hence, MITM).

The certificate for each site is generated on the fly by the proxy from the root certificate that was installed in the previous phase:

(Note: this is NOT the real google.com certificate)

The actual operation is injecting Bing search results in an iFrame into Google’s page results as we can see below:


In this short video, we can see the amount of time it takes for the search results to load, a result of multiple redirects until the relevant search results are displayed: ChromeProxy

This brief reflects some initial findings of our research on this brand new type of search hijacking method (on Mac). This aggressive search takeover and injection method seems to be a response to recent changes in macOS Mojave, which had deprecated ‘traditional’ methods such as extension installation and browser setting takeovers.

About the authors:

Oksana Davidov is a Senior Malware Researcher with 10 years of experience in Cyber Security space, working with some of the leading organizations in the market. She acquired a deep knowledge of malware techniques and cyber-attack campaigns from defensive and offensive viewpoints. Her experience includes reverse engineering, malware analysis, computer and network forensics, incident response and development. 

Roee Avni is a security researcher for over 4 years, with experience of malware analysis, reverse engineering, incident response and development. 

Subscribe to our blog

Get Airo

Try Airo AV and Airo Web Protection

Try Airo