New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research

Search

Google Searches Displaying Bing Results on Infected Macs

A recently reported malware strain is meddling with traffic on Macs that have been infected to display Bing results through Google searches. The malware reroutes connections to a proxy that is able to change the Google results. Normally an attack like this would require an operating system or browser extension to download in order to be carried out. Instead, it disguises itself as an Adobe Flash plugin installer that is passed along either through email or a drive-by download. If the user happens to proceed with the installation of the plugin, they will be asked for their macOS account information, which would then give way for the proxy to be installed and then configured to receive all browser requests. Unencrypted data can then be tampered with. The Mac’s keychain will also receive a root security certificate that gives the proxy the capability to create SSL/TLS certs as websites are requested. With these certs, man-in-the-middle eavesdropping can be carried out on HTTP sites, and even HTTPS sites that do not have the correct MITM countermeasures in place. Once the Mac is infected and a Google search is carried out, the proxy pushes an HTML iframe that displays Bing results. It is thought to be that the malware creators are using the Bing search results to bring in profit. Researchers stated, “To our understanding, the attackers make money out of ads they are managed to serve via this process. It could be Bing ads in this case, or other ads throughout the process.” This process is believed to be a method to counteract changes made in macOS Mojave that thwarted traditional man-in-the-middle attack efforts.

Analyst Notes

Users should refrain from connecting to public Wi-Fi or any connection that is not protected by a password. Any alert messages or emails from unknown senders should be monitored closely as well. Users may also want to log out of any application when it is not in use.