Stealthy Mughthesec Mac adware exposed: What it does, how to protect yourself

Mac malware is still a rare occurrence, so it’s no wonder that some of it can lurk, unnoticed for months, on random machines.

The latest example falls more in the category of “potentially unwanted software” than outright “malware,” but it could easily be made to saddle users with more malicious threats.

About Mughthesec

The malware has been dubbed Mughthesec, after the name of the app and the launch agent it installs on the target machine.

The sample analyzed by security researcher Patrick Wardle was not detected by a Mac AV solution, and it was lifted directly from an infected MacBook, after being spotted by a user.

Wardle even managed to get his hands on the adware’s original installer and tested it on VirusTotal. The result was the same: no detection. Interestingly enough, both files were signed with the same valid developer certificate, which Apple revoked soon after Wardle’s analysis.

The disk image was made to look like it was a Adobe Flash installer, and if it detects that it is being run in a virtual machine, it will install only a legitimate copy of Flash. If not, it will reach out to a C&C server, and then ask the victim to install a fake, scammy utility app (Advanced Mac Cleaner), a piece of adware (Safe Finder), and browser hijacker (Booking.com):

mughthesec Mac adware

The result of the installation? A hijacked Safari homepage (made to point to a search page), an installed Safari extension (AnySearch) that changes the search engine in the Safari address bar, injected ads, and a panic-inducing alert by Advanced Mac Cleaner, which apparently found many issues affecting the computer. Naturally, to “fix” them, the user has to pay.

Wardle posits that the malware is delivered to end user via malicious ads and/or pop-ups, and it all points to it being a newer variant of a previously flagged adware dubbed Safe Finder/Operator Mac.

What to do if you’ve been infected?

If your computer has been hit with this variant of Mughthesec, delete the unwanted apps and the “Any Search” browser extension, and unload and delete the Mughthesec launch agent (~/Library/LaunchAgents/com.Mughthesec.plist).

If you’ve perhaps been saddled with other types of adware, delete that as well.

For those who haven’t been hit but want to remain adware-free, be careful what apps you download and install on your machine.

Now that Apple has revoked the developer certificate used to sign Mughthesec’s files, macOS will refuse to run the fake Flash Player installer, but a new version signed with another valid certificate can soon be pushed out.