March 3, 2016

Malware programs for Apple computers are not as widely spread as Trojans for Windows and Android. Nevertheless, cybercriminals are still interested in targeting Mac owners. Today’s malicious programs for OS X are mainly designed to display annoying advertisements in the browser window. In March, Doctor Web security researchers registered new adware Trojans that belong to the Mac.Trojan.VSearch family.

The Mac.Trojan.VSearch Trojans begin their malicious activity with an application installer that Dr.Web detects as Mac.Trojan.VSearch.2. It is spread masquerading as various utilities or software—for instance, as the Nice Player application. Users can download it from different websites offering free OS X software.

Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”, Mac.Trojan.VSearch.2 should display a list of components that the user can install in addition to the desired application. This dialog usually prompts the user to choose necessary modules from the list. However, in fact, it is not the case because the installer skips this step and moves to the next stage prompting the user to specify the installation folder. At that, the Trojan is set as if the user themselves checked all offered components. Among them, we can mention the Mac.Trojan.VSearch.4 Trojan and such dangerous and unwanted applications as MacKeeper (Program.Mac.Unwanted.MacKeeper), ZipCloud (Program.Mac.Unwanted.ZipCloud), and Mac.Trojan.Conduit.

After Mac.Trojan.VSearch.4 is installed on the infected computer, the Trojan downloads a script from the server. This script is used to set another default search engine—the Trovi server. In addition, applying this script, Mac.Trojan.VSearch.4 can download and install a search plug-in for Safari, Chrome, and Firefox. Dr. Web detects this plug-in as an unwanted application named Program.Mac.Unwanted.BrowserEnhancer.1. And, finally, the Trojan downloads and installs another malicious program—Mac.Trojan.VSearch.7.

Once Mac.Trojan.VSearch.7 is on the computer, the very first thing it does is create a new user account, which is not displayed in the OS X Welcome dialog. Then it launches a special proxy server that is used to inject a JavaScript script in all opened webpages. This script is responsible for display of advertisements in the browser window and collects the user’s Web search queries of several search engines.

Doctor Web specialists found that 1,735,730 malicious programs were downloaded from the cybercriminals’ servers. At that, they also registered 478,099 unique IP addresses that requested these servers. This fact allows to make certain assumptions about the distribution area of the threat. Dr.Web for OS X successfully detects Trojans belonging to the Mac.Trojan.VSearch family; therefore, they do not pose any threat to our users.

More about these Trojans