Detection of MyShopCoupon
Summary: MyShopCoupon is a browser redirector that I found in the ~/Applications directory. This was redirecting Google Chrome to use weknow[dot]ac as the default search engine for the browser. This avoided detection from KnockKnock, Malwarebytes Anti-Malware for Mac and ClamXav. It actually took me a fair amount of hunting around to grab it as this is the first occasion in which I’ve seen adware/malware hide itself in such an unlikely place as the ~/Applications directory. The point of this article IS NOT to chastise the developers of the above listed software, but simply to inform them of this files existence. Prior to this article being published, I have submitted the files and my findings to those that expressed interest in my detection.
Introduction: First, I’d like to take a moment to introduce myself. My name is Matt Jacobs and I am the senior technician at a third-party Apple retail location. I have been doing this since 2013 and have performed ~15-25 security sweeps a week since I created/curated some wonderful pieces of software together for use with Macs. The curated Apps do the majority of the work, although I have created several Automators that simplify my process. The process that I use has been implemented on a nationwide scale within the company that I work for. I am very proud of this and the work that I do. I DO NOT KNOW HOW TO CODE! I AM NOT A PROFESSIONAL MALWARE RESEARCHER! I am simply a person that has had to work around malware and INSANE amount. I say all this so you know that this article WILL NOT be an in depth discovery in the vein of Thomas Reed or Patrick Wardle, gentleman that I respect GREATLY. This is a practical analysis. Should you feel that I am disqualified to be writing such an article, you can feel free to navigate away now.
Getting on with It: I initially found this piece of adware and submitted it to Virus Total on September 14, 2018. I found this because I had completed a security sweep on a customer’s computer (the customer will remain nameless here, but they granted permission to me to copy the files for use with this analysis) in which scans were ran with the following three pieces of software, in this order:
Malwarebytes Anti-Malware for Mac
Before & after the scans are completed, I will manually go seek out some places that I know little things like to (attempt to) hide in. After analysis, it is part of my process to clear the caches within installed browsers and verify that they are functioning properly. Everything looked to be performing as normal, so I sent the computer home with the customer. The same day, the customer returned to my store (after I had left for the day) and was showing something to the technician on duty. In Google Chrome, the default search engine was set to Google, yet when a search was performed, it was using a search engine called WeKnow. That tech did the usual and checked for various installed extensions, cleared the cache and restarted the browser. The same was still occurring. That tech then removed Google Chrome, as well as it’s associated files and folders, then re-installed Google Chrome. The issue persisted. At this point he put the machine on my desk and told the customer I would contact them again the next day.
Upon my arrival, I see this computer that I recall completing the day before, sitting on my desk. The tech explained what was going on and walked me through the things he attempted, which I’ve documented above. At this point I started searching for the offender. After several minutes, I couldn’t find anything out of the ordinary. So I started looking in places that were so obvious I wouldn’t usually check. MyShopCoupon was “hiding” in the Applications directory AT THE USER LEVEL in a directory titled “MyShopCoupon” along with a myshopcoupon.config file. I zipped this folder up, restarted the computer and relaunched Google Chrome. Issue solved! I called the customer and explained the situation to them and was granted permission to copy the files upon removal for further analysis.
I temporarily copied the files to a jump drive, so I could later copy to my personal MBP for analysis. Upon uploading the files (that I had unzipped) to Virus Total, I learned that 0/59 scanning engines had been triggered by these files. Virus Total did show me that it knows about files that are considered to be related to this file. It also showed me that some of these related files HAVE triggered some of their scanning engines. This has happened to me several times before. In those circumstances, I usually send the zipped up files to someone a little more prominent than I in the malware industry to proceed through the official channels and update their own software to detect these. I didn’t this time, however, as I had very little information about them. Upon completion of my security sweep, I gather all of the files into the ~/Trash and organize them as follows:
Known Bad Software
Previously in Trash
[security sweep] Docs
Unnecessary iTems (I throw away .dmg, .pkg, .exe files I find in the ~/Downloads folder, even though they may not be related to security)
Virus Scan Removals
The purpose of doing such a thing is to give the customer something that they can look at to see what I did. This is to provide them with some value since they have paid for the service, and (other than a better operating computer) they really have nothing to show for it. I understand that the vast majority of end users will not understand what they are looking at, but this is so they can visualize what was causing the issue and have the satisfaction of clicking the “Empty Trash” button and ridding themselves of the problematic software. In this instance, the customer had emptied the trash prior to bringing the computer back. So I really have no idea what the infection vector was, nor where it came from. I know… very anti-climactic, right?
However, the upside is that now you, the reader, know that this little piece of garbage likes to store itself in your ~/Applications folder! Go take a peak for it. The other upside is that this is making me change my process. I will now start archiving the directories that I mentioned above (with permission, of course) excluding the “Previously in Trash” directory so I can be better prepared for these occurrences.
Virus Total Link: MyShopCoupon
MyMacUpdater SHA-256: fa3e23154036428fa42ba843f79e9fb6a1b85585906ee9159540e506b787d2df
Further Evaluation and Update by Stuart Ashenbrenner
Matt Jacobs originally made this write up back in September, but we have delay the release of the blog post. I have done a little more digging into this piece of malware, and I will show you exactly what it looks like and where it is persisting on your machine. Over the past few months, VirusTotal has began to recognize this malware, although many antivirus programs still aren’t finding it.
When I acquire a sample of the malware from Matt, I began by simply running the installer (see right).
After initializing the installer, I quickly received a notification from the Objective-See tool called Lulu. This tool helps notify you of an process trying to connect to an external IP address, just like your typical firewall. This notification flagged that a process called mm-install-macos was attempting to connect to service.macinstallerinfo.com at IP address 126.96.36.199:80. This process (PID 729) was located at path:
With this, you can see that the install persists out of the /private folder in the root directly. Luckily, you can block this connection with Lulu.
If you allow this process to run, you will see Terminal open to run the bash script that is this programs installer. This is also the time in which the program will request your administrator password. This is truly what allows the adware to persist and begin infiltrating your system.
This will launch an installer for “program” called Media Player. This program initializes and gives you two types of installation options. One is the express version (below-left). The other is the customized version (below-right). Please note, you cannot actually customize the installer. You HAVE to install both Media Player and Myshopcoupon, and you cannot uncheck the option. They are basically forcing you to install both those pieces of “software.”
After accepting the install, Lulu alerted me with another outgoing connection. This came from a plist file located within the LaunchDaemons folder, which is what helps the adware maintain persistence. As noted in the screenshot, the actually startup binary of the file is location in the User-level Application folder, which is much less common than that root Application folder, which is where the majority of your actual apps are located.
You are then taken through a slough of your System asking for permission for these programs to access ALL of the data within your browsers, whether it be Safari, Chrome, or Firefox (I tested all three). These requests look like the image to the right. There were roughly two requests per browser, one for Myshopcoupon and one for a program called “Install”. Clever name, right?
One thing of note, I did recognize a curl command running in Activity Monitor.
I checked the process ID (PID) through Terminal and noticed it was trying to connect to the mediaDownloader server.
This completed the installation with a large “Thank You” page, then immediately after opened Safari and directed me to a website that, in the browser was called “related-offers.” It was an ad for MacKeeper. Shocker!
After exiting that garbage program, I navigated to the User/user/Applications folder, and sure enough, MyMacUpdater was sitting in that location.
The job of malware, adware, or viruses is to persist, meaning if you restart your computer, the malware needs to be able to restart on either power-on or login. Because of this, most malware will attempt to persist from either the LaunchAgents or LaunchDaemons folders.
One reason why this specific piece of malware is so nefarious is because it utilizes the users directory. Because of this, some malware of adware companies don’t recognize it, as it could potentially cause unwanted data loss (according to the AV companies). While I don’t necessarily agree with the notion for malware companies to avoid blatant and obvious malware, I understand where they’re coming from, at least from a business standpoint.
With that in mind, I highly recommend tools from Objective-See. Their tools, like Lulu mentioned above can help alert you to unwanted programs, adware, or malware. On top of that, their program KnockKnock will run Launch Items (items in the LaunchAgents and LaunchDaemons folders) against a VirusTotal check. Although this malware avoided detection early on, it appears that it is now being recognized, mainly due to the malware changing over the past few months. VirusTotal will reveal how many different antivirus programs have recognized it. When I used KnockKnock after installing this Myshopcoupon on a clean system, it responded with these results:
A huge thank you to Matt Jacobs for all of his research into MyShopCoupon! You can follow Matt on Twitter at @pnwbeard. When Matt isn’t working on Macs, he’s developing and designing table top games. Check out his page over on Patreon.