Guest Post: MyShopCoupon Hijack Browser

Detection of MyShopCoupon

Summary: MyShopCoupon is a browser redirector that I found in the ~/Applications directory. This was redirecting Google Chrome to use weknow[dot]ac as the default search engine for the browser. This avoided detection from KnockKnock, Malwarebytes Anti-Malware for Mac and ClamXav. It actually took me a fair amount of hunting around to grab it as this is the first occasion in which I’ve seen adware/malware hide itself in such an unlikely place as the ~/Applications directory. The point of this article IS NOT to chastise the developers of the above listed software, but simply to inform them of this files existence. Prior to this article being published, I have submitted the files and my findings to those that expressed interest in my detection.

Introduction: First, I’d like to take a moment to introduce myself. My name is Matt Jacobs and I am the senior technician at a third-party Apple retail location. I have been doing this since 2013 and have performed ~15-25 security sweeps a week since I created/curated some wonderful pieces of software together for use with Macs. The curated Apps do the majority of the work, although I have created several Automators that simplify my process. The process that I use has been implemented on a nationwide scale within the company that I work for. I am very proud of this and the work that I do. I DO NOT KNOW HOW TO CODE! I AM NOT A PROFESSIONAL MALWARE RESEARCHER! I am simply a person that has had to work around malware and INSANE amount. I say all this so you know that this article WILL NOT be an in depth discovery in the vein of Thomas Reed or Patrick Wardle, gentleman that I respect GREATLY. This is a practical analysis. Should you feel that I am disqualified to be writing such an article, you can feel free to navigate away now.

Getting on with It: I initially found this piece of adware and submitted it to Virus Total on September 14, 2018. I found this because I had completed a security sweep on a customer’s computer (the customer will remain nameless here, but they granted permission to me to copy the files for use with this analysis) in which scans were ran with the following three pieces of software, in this order: 

    1. KnockKnock,

    2. Malwarebytes Anti-Malware for Mac

    3. ClamXav.

Before & after the scans are completed, I will manually go seek out some places that I know little things like to (attempt to) hide in. After analysis, it is part of my process to clear the caches within installed browsers and verify that they are functioning properly. Everything looked to be performing as normal, so I sent the computer home with the customer. The same day, the customer returned to my store (after I had left for the day) and was showing something to the technician on duty. In Google Chrome, the default search engine was set to Google, yet when a search was performed, it was using a search engine called WeKnow. That tech did the usual and checked for various installed extensions, cleared the cache and restarted the browser. The same was still occurring. That tech then removed Google Chrome, as well as it’s associated files and folders, then re-installed Google Chrome. The issue persisted. At this point he put the machine on my desk and told the customer I would contact them again the next day. 

Upon my arrival, I see this computer that I recall completing the day before, sitting on my desk.  The tech explained what was going on and walked me through the things he attempted, which I’ve documented above. At this point I started searching for the offender. After several minutes, I couldn’t find anything out of the ordinary. So I started looking in places that were so obvious I wouldn’t usually check. MyShopCoupon was “hiding” in the Applications directory AT THE USER LEVEL in a directory titled “MyShopCoupon” along with a myshopcoupon.config file. I zipped this folder up, restarted the computer and relaunched Google Chrome. Issue solved! I called the customer and explained the situation to them and was granted permission to copy the files upon removal for further analysis. 

I temporarily copied the files to a jump drive, so I could later copy to my personal MBP for analysis. Upon uploading the files (that I had unzipped) to Virus Total, I learned that 0/59 scanning engines had been triggered by these files. Virus Total did show me that it knows about files that are considered to be related to this file. It also showed me that some of these related files HAVE triggered some of their scanning engines. This has happened to me several times before. In those circumstances, I usually send the zipped up files to someone a little more prominent than I in the malware industry to proceed through the official channels and update their own software to detect these. I didn’t this time, however, as I had very little information about them. Upon completion of my security sweep, I gather all of the files into the ~/Trash and organize them as follows:

    1. Known Bad Software

    2. Malwarebytes Removals

    3. Previously in Trash

    4. [security sweep] Docs

    5. Unnecessary iTems (I throw away .dmg, .pkg, .exe files I find in the ~/Downloads folder, even though they may not be related to security)

    6. Virus Scan Removals

The purpose of doing such a thing is to give the customer something that they can look at to see what I did. This is to provide them with some value since they have paid for the service, and (other than a better operating computer) they really have nothing to show for it. I understand that the vast majority of end users will not understand what they are looking at, but this is so they can visualize what was causing the issue and have the satisfaction of clicking the “Empty Trash” button and ridding themselves of the problematic software. In this instance, the customer had emptied the trash prior to bringing the computer back. So I really have no idea what the infection vector was, nor where it came from. I know… very anti-climactic, right?

However, the upside is that now you, the reader, know that this little piece of garbage likes to store itself in your ~/Applications folder! Go take a peak for it. The other upside is that this is making me change my process. I will now start archiving the directories that I mentioned above (with permission, of course) excluding the “Previously in Trash” directory so I can be better prepared for these occurrences. 

Virus Total Link: MyShopCoupon
SHA-256: ea99c5031c8e455352a762515831d5fa1de4f7abfae169fbaf2a3d89fe704e12

MyMacUpdater SHA-256: fa3e23154036428fa42ba843f79e9fb6a1b85585906ee9159540e506b787d2df


Further Evaluation and Update by Stuart Ashenbrenner

Matt Jacobs originally made this write up back in September, but we have delay the release of the blog post. I have done a little more digging into this piece of malware, and I will show you exactly what it looks like and where it is persisting on your machine. Over the past few months, VirusTotal has began to recognize this malware, although many antivirus programs still aren’t finding it.

.png

When I acquire a sample of the malware from Matt, I began by simply running the installer (see right).

After initializing the installer, I quickly received a notification from the Objective-See tool called Lulu. This tool helps notify you of an process trying to connect to an external IP address, just like your typical firewall. This notification flagged that a process called mm-install-macos was attempting to connect to service.macinstallerinfo.com at IP address 104.238.223.14:80. This process (PID 729) was located at path:

/private/var/folders/8r/cwfv75z56jq6njqk_macos.app/Contents/MacOS/mm-install-macos

With this, you can see that the install persists out of the /private folder in the root directly. Luckily, you can block this connection with Lulu.

Screen Shot 2018-12-17 at 10.21.57 AM.png
Screen+Shot+2018-12-17+at+10.22.35+AM.jpg

If you allow this process to run, you will see Terminal open to run the bash script that is this programs installer. This is also the time in which the program will request your administrator password. This is truly what allows the adware to persist and begin infiltrating your system.

Screen Shot 2018-12-17 at 10.23.32 AM.png

This will launch an installer for “program” called Media Player. This program initializes and gives you two types of installation options. One is the express version (below-left). The other is the customized version (below-right). Please note, you cannot actually customize the installer. You HAVE to install both Media Player and Myshopcoupon, and you cannot uncheck the option. They are basically forcing you to install both those pieces of “software.”

Screen Shot 2018-12-17 at 10.23.03 AM.png
Screen Shot 2018-12-17 at 10.23.09 AM.png

After accepting the install, Lulu alerted me with another outgoing connection. This came from a plist file located within the LaunchDaemons folder, which is what helps the adware maintain persistence. As noted in the screenshot, the actually startup binary of the file is location in the User-level Application folder, which is much less common than that root Application folder, which is where the majority of your actual apps are located.

Screen Shot 2018-12-17 at 10.25.50 AM.png

You are then taken through a slough of your System asking for permission for these programs to access ALL of the data within your browsers, whether it be Safari, Chrome, or Firefox (I tested all three). These requests look like the image to the right. There were roughly two requests per browser, one for Myshopcoupon and one for a program called “Install”. Clever name, right?

One thing of note, I did recognize a curl command running in Activity Monitor.

Screen Shot 2018-12-17 at 10.28.38 AM.png

I checked the process ID (PID) through Terminal and noticed it was trying to connect to the mediaDownloader server.

Screen Shot 2018-12-17 at 10.29.13 AM.png

This completed the installation with a large “Thank You” page, then immediately after opened Safari and directed me to a website that, in the browser was called “related-offers.” It was an ad for MacKeeper. Shocker!

.png

After exiting that garbage program, I navigated to the User/user/Applications folder, and sure enough, MyMacUpdater was sitting in that location.

Screen Shot 2018-12-17 at 10.40.27 AM.png

The job of malware, adware, or viruses is to persist, meaning if you restart your computer, the malware needs to be able to restart on either power-on or login. Because of this, most malware will attempt to persist from either the LaunchAgents or LaunchDaemons folders.

One reason why this specific piece of malware is so nefarious is because it utilizes the users directory. Because of this, some malware of adware companies don’t recognize it, as it could potentially cause unwanted data loss (according to the AV companies). While I don’t necessarily agree with the notion for malware companies to avoid blatant and obvious malware, I understand where they’re coming from, at least from a business standpoint.

With that in mind, I highly recommend tools from Objective-See. Their tools, like Lulu mentioned above can help alert you to unwanted programs, adware, or malware. On top of that, their program KnockKnock will run Launch Items (items in the LaunchAgents and LaunchDaemons folders) against a VirusTotal check. Although this malware avoided detection early on, it appears that it is now being recognized, mainly due to the malware changing over the past few months. VirusTotal will reveal how many different antivirus programs have recognized it. When I used KnockKnock after installing this Myshopcoupon on a clean system, it responded with these results:

Screen Shot 2018-12-17 at 10.45.47 AM.png

It recognized both persisting pieces of software, and returned that one (MyMacUpdater) had 2/57 hits on VirusTotal, while the other (MyShopcoupon) had 15/56.

I can’t recommend these programs enough.

If you have any questions, feel free to email or call me.


A huge thank you to Matt Jacobs for all of his research into MyShopCoupon! You can follow Matt on Twitter at @pnwbeard. When Matt isn’t working on Macs, he’s developing and designing table top games. Check out his page over on Patreon.

Also, shoutout to Patrick Wardle at Objective-See for all of their fantastic tools.

Best Mac Security Tools of 2017

Computer_virus_illustration.jpg

As we round out another year, I look back at everything that has happened this year with computer security, especially in the Apple sector.

We can look back at WannaCry, the ransomware attack that ravaged Microsoft systems across the world in May. It infected around 300,000 computers and over 200,000 victims. This was quickly followed by another piece of ransomware called Petya. In March, a data trove of 8,761 documents were posted to Wikileaks, which was entitled "Vault 7," a collection of stolen documents containing documentation of alleged spying operations and different hacking tools. This doesn't even take into account the massive amount of DDoS (Distributed Denial of Service) attacks against companies and individuals. Last but not least, we cannot forget the massive data leaks in the past few years, which includes but is not limited to Equifax, Target, Sony, Yahoo, Ashley Madison, Adult Friend Finder, and last but not least, Stuxnet.

With all of that being said, although not all of these attacks were done specifically to the Mac operating system, some of them did. Because of that, we have compiled a list of the top security tools of this year. They weren't all produced this year, but they are the security tools that I use daily and trust whole-heartedly. We will also recount some of the biggest tricksters and liars of the year as well in our next blog post.

If you are interested or have questions about any of this years top security tools, please let me know. Send me an email at stuart@crashsecurity.com.


Top 5 Mac Security Tools of 2017:

 

Honorable Mention

nordvpnlogo-100726095-large.jpg

NordVPN

NordVPN is my favorite VPN (virtual private network) I've used thus far, and I have tried quite a few. I've tried quite a few, and after being disatistfied with the price of the last one I used, ExpressVPN, I moved to NordVPN. 

I learned of a great comparison site called That One Privacy Site that provides a breakdown for tons and tons of VPNs. To sum up VPNs, they encrypt your IP address, so you can remain relatively anonymous while browsing the internet. With how many different things I research, I have to use a VPN. NordVPN is one of the top rated, and it also has great reviews. You can choose where you want your IP address routed through, whether it be Canada, Europe, Asia, or anywhere in between.

Sign up for the two-year plan for $3.29/month.

Follow NordVPN on Twitter: @NordVPN


No. 5

Screen Shot 2017-12-22 at 2.27.29 PM.png

GPG Tools

This suite of tools allows you to send encrypted emails using the program, GPG Suite. Although it may seem as if your email is impenetrable, it isn't. This tool can be tough to configure, but once completed, it is an amazing application. It allows you to give your public key to others, in which they can send you encrypted messages. The only way to see those messages is by decrypting them with your private key. It uses an encryption called OpenPGP, PGP standing for Pretty Good Privacy (no joke). Using a server, you can access your friend's public keys to send them emails when you need or want to do it. It is a plug-in for Mac Mail, so if you use a different email client, you may have to download a different tool. This is available for macOS 10.9 and higher. Read more at their website which is linked in their title.

To send me an encrypted email, my public key is: BB387DBD

Follow GPG Tools on Twitter: @GPGTools


No. 4

littlesnitch_256.png

Little Snitch

Little Snitch is a network monitoring tool that makes your connections visible. You can allow or block certain connections, as well as set parameters about the connection. Say I want to do an Adobe update, but I only want my computer reaching out to Adobe's server address for 30 minutes, I can set the parameter to allow the connection for 30 minutes. After that time expires, the connection will be blocked. You can also block a site for a certain amount of time or "Forever." Same goes with allowing websites. I allow my computer to connect to the iCloud server "Forever," as I constantly have things syncing with my iCloud account. 

microsnitch_340.png

Little Snitch also now has a companion piece of software called Micro Snitch, that monitors your computers camera and microphone and will alert you when they go active. This piece of software, I have found not as useful, and I will explain why a little further down this article.

Follow Little Snitch on Twitter: @LittleSnitch


No. 3

infected-files.jpg

ClamXAV

ClamXAV has, for years, been my favorite antivirus on the market for multiple reasons. One common issue with running antivirus on a Mac is live-monitoring. For quite some time, ClamXAV did not support live-monitoring, and it was instead a simple, powerhouse antivirus scanner. If you run this program as just an antivirus scan, it will bog your machine down, but I would simply set it up at night, and allow the scan to run while I slept. When I woke up, it had a list of all of the issues it may have found. I could then immediately put them in my Trash. 

What ClamXAV has released more recently is ClamXAV Sentry. It is a live-monitoring piece of software that I set up to monitor specific folders. Obviously, the folder most likely to get infected on your computer is your ~/Downloads folder. Anything downloaded from the internet will typically download here. I have it monitor my Downloads and my Desktop, as well as a few hidden folders. Most every-day users would not need to worry about the hidden folders, but because of how much I play with malware, I set it up to scan that anyway. 

So why do I like ClamXAV over Norton or Sophos or McAfee? Well, those programs live-monitoring are extremely CPU-consuming. I find myself getting angry with how slow it makes my machine run. With ClamXAV, I've never had that problem. ClamXAV is also one of the quickest AV engines to find new malware in the wild, so I cannot recommend it enough. 

There is a free trial, but it is now a paid program, and I think it is well worth the $29.95.

Follow ClamXAV on Twitter: @ClamXAV


No. 2

Malware-Bytes.png

Malwarebytes for Mac

Another amazing malware remover and antivirus, Malwarebytes. For many years, Malwarebytes stuck pretty specifically with malware and something referred to as PUPs (Potentially Unwanted Programs). More recently, they have begin diving into the AV community, and with each update, Malwarebytes and ClamXAV get more and more similar as far as what they do. Malwarebytes for Mac was a program that I used often to help rid people of unwanted programs and adware. We will dive into some of these PUPs in our next blog post, but Malwarebytes was always there, and it would always remove the program fully, not leaving behind any files, no matter how deep they were buried in your system. 

Malwarebytes recently released Malwarebytes Premium 3.0, which is not only a malware scanner, but an antivirus software with "Real-Time Protection," which is like their version of live-monitoring. I got this upgrade immediately, and although there were some bugs early on with the program utilizing large amounts of memory, sometimes even when the program wasn't running, those bugs have since been resolved. Malwarebytes is also touted as one of the top antivirus scanners.

Take the image below. This shows live threats that Malwarebytes, for Windows and Mac), is catching. It also shows threats that it caught that other antivirus softwares did not. This was a screenshot I took less than two minutes into this map populating in real-time. I can't imagine what it would look like if I allowed it to run for hours on end.

Screen Shot 2017-12-21 at 11.58.55 AM.png

Malwarebytes is now the company to beat when it comes to antivirus. They are also one of the first companies to catch new threats, and they keep very busy on social media platforms for support and tips. You can download the free or paid version.

They also frequently blog about security issues, which I highly recommend reading. They are very up to date on everything that has to deal with computer security.

Follow Malwarebytes on Twitter: @Malwarebytes

Follow Malwarebytes for Mac specialist Thomas Reed on Twitter: @ThomasAReed


No. 1

CaY75aNi_400x400.png

Objective-See

Objective-See and creator Patrick Wardle has been pumping out free application after free application for years now. No, they don't have one app, they have OVER 10!

First, Oversight, one of their newer applications, does the live-monitoring of your computer camera and microphone. As I mentioned earlier, Micro Snitch does it as well, but anything produced by Patrick Wardle is going to be some of the best software out there. It is easy to run, is easy to set up, and it just runs in the background, using virtually no CPU or memory. It is fantastic. You can allow or block connections when they are coming in, so you will instantly know if someone is using your camera without your permission.

In addition to this, they've added another application called BlockBlock, which monitors common persistence locations on your computer. This would be the locations malware may install.

Another application, Ransomwhere?, helps stop ransomware from making you a victim. It notices when something is encrypting your files, and you can either approve or terminate the process that is doing so. This is such a fantastic tool seeing as how ransomware has constantly been on the rise, especially over this past year.

Wardle has also released multiple open-source tools, encouraging users to download the programs through a Git website like GitHub. One of the more recent open source tools called ProcInfo is a tool that allows you to find a specific process and analyze it. This allows you to trace what a specific process is doing to see if it is malicious or not.

They have also produced an open-source program called LuLu that is a firewall. It will block any outgoing connection until it is approved by the user. I just recently started using LuLu, and I love it so far.

Again, all of these applications are FREE.

These are just four of the many tools that Objective-See has produced. I would highly suggest using them, and if you need help installing any of them, don't hesitate to let me know.

Follow Objective-See on Twitter: @Objective-See

Follow Patrick Wardle on Twitter: @PatrickWardle


In conclusion...

These are applications that I LOVE. I don't get paid to promote any of these. In fact, the free tools by Patrick Wardle and Objective-See are on Patreon, and I donate to them monthly because I believe so much in the power of the products. To show you how much I like these, I took a screenshot of my toolbar, where you can see many of these currently running.

(From left to right): MicroSnitch, BlockBlock, LuLu, ClamXAV Sentry, Little Snitch, Malwarebytes Premium 3.0, Oversight, NordVPN

(From left to right): MicroSnitch, BlockBlock, LuLu, ClamXAV Sentry, Little Snitch, Malwarebytes Premium 3.0, Oversight, NordVPN

Don't take Mac security for granted. All Macs are susceptible to malware. It's not to late to download applications. Again, if you need any assistance installing these programs or how to operate these programs, please don't hesitate to contact me either for a home visit through my House-Call page or a general questions through my Contact page.

The Scam of A-Tech Network

Have you ever seen a pop-up with a phone number saying you have a "virus?" So have we. Take a dive with us into a company called A-Tech Network, and how they will attempt to scam you out of all of your money.

Read More