Security researchers at MalwareBytes have discovered a new variant of an adware installer that is leveraging an old trick to access the Keychain on MAC OS X

In July, researchers at Malwarebytes have identified a local privilege escalation (LPE) vulnerability in the Mac OS X operating system. The experts discovered that the flaw in OS X was exploited in the wild by an installer for the Genieo and VSearch adware.

The crooks also installed MacKeeper and directed victims to the Apple App Store page of a file downloader dubbed Download Shuttle.

Despite Apple fixed the flaw on August 13 with the release of OS X Yosemite 10.10.5, a new version of the installer was discovered once again by experts at Malwarebytes reported seeing a new version of the previously analyzed installer. This time the new installer asks users to enter their admin password, after which it performs exactly the same operation of the first variant.

The researchers also another singular trick implemented by the installer, once executed it throws an installer request that asks for permission to access the user’s OS X keychain.

The new version of the installer automatically simulates a click on the “Allow” button as soon as it appears, in this way it gains access to the Safari Extensions List and then install a Genieo Safari extension. 

Malwarebytes has spotted the malicious code in almost every app installed by the Genieo installer at least since early June.

 

The process of installing a malicious extension and gain access to the OS X keychain is very rapid and it is not perceived by the user.

 

The Keychain alert is visible for a fraction of a second before the Allow button is automatically clicked.

 

“It looks like this Installer app is using this hack to gain access to the Safari Extensions List in the keychain, for the purpose of installing a Genieo Safari extension (named Leperdvil, in this case).This seems like an unnecessary hack, considering that Genieo installers have been installing Safari extensions for years. Perhaps it’s an attempt to get around changes to handling of Safari extensions in the upcoming El Capitan (OS X 10.11). More concerning, though, is the question of what’s to stop this adware from accessing other confidential keychain information… like, say, passwords?” wrote MalwareBytes researcher Thomas Reed.

The Keychain alert is visible for less than a second before the Allow button is automatically clicked so victims are unlikely to become suspicious.

The principal problem related to this hack is the access to the Mac OS X Keychain which is the password management system that is used to store sensitive information and user credentials.

k2

The experts highlighted that the adware could be improved to access users’ iCloud passwords and any other information stored in the keychain.

The identity management company MyKi also disclosed a method to hack the Keychain, its researchers also developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS.

CSOonline published an interesting post on the topic, in particular, it reported further details on the attack provided by the researchers from the MyKi company.

A reader asked if this affected iOS as well as OSX. Jebara, one of the researchers confirmed that in the case the user opted for the iCloud Keychain, “then all passwords saved on the iOS device will also be extracted by the exploit. But the exploit will only execute on a OSX device meaning that it can only be run from a Mac.”

As for attack vectors, Jebara said that the following come to mind:

  • Direct Attack: Attacker that knows victim sends malicious file via email or something similar
  • P2P Attack: Attacker embeds payload in torrent file and distributes it
  • Website Post: Share on social media disguised as an intriguing article

Relatively elaborate potential vectors:

  • Intercept user download from website X via MITM, append payload to download and redirect download to user.
  • Get a low privilege shell on user computer (root privilege not needed) and execute payload.

 Pierluigi Paganini