Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Adware Installer Uses Old Trick to Access OS X Keychain

The developers of an adware installer are leveraging an old trick to access the Keychain on OS X devices, researchers have warned.

The developers of an adware installer are leveraging an old trick to access the Keychain on OS X devices, researchers have warned.

One month ago, researchers at Malwarebytes reported spotting a new installer that had leveraged a then zero-day local privilege escalation vulnerability in OS X to install Genieo and VSearch adware on computers without users having to enter the system password. The attackers also installed MacKeeper and directed victims to the Apple App Store page of a file downloader named Download Shuttle.

The vulnerability exploited to install the adware was patched by Apple on August 13 with the release of OS X Yosemite 10.10.5.

In a new blog post published this week, Malwarebytes reported seeing a new version of the previously analyzed installer. The new installer asks users to enter their admin password, after which it installs Genieo, VSearch and MacKeeper and redirects users to Download Shuttle.

While this might seem the end of it, the installer uses a clever trick to access the Safari Extensions List in the Keychain. It does this by locating the “Allow” button on a Keychain alert and simulating a click on it. The Keychain alert is visible for less than a second before the Allow button is automatically clicked so victims are unlikely to become suspicious.

The Mac OS X Keychain is a password management system that is used to store passwords and other sensitive information.

In this case, the goal is to give the installer access to the Safari Extensions List in the keychain in order to install a Genieo Safari extension called “Leperdvil.” However, experts warn that the adware could be adapted to access users’ iCloud passwords and other data from the keychain.

Genieo installers have been capable of installing shady Safari extensions for years, but Malwarebytes researchers believe this latest trick might be an attempt to bypass the new Safari extension handling mechanisms in the upcoming 10.11 El Capitan version of OS X.

Advertisement. Scroll to continue reading.

Malwarebytes says it has spotted the malicious code in almost every app installed by the Genieo installer at least since early June.

A similar piece of adware was spotted by researchers at Webroot. Experts identified code designed to add an exception to the settings of ad blocker applications such as AdBlock Plus in order to ensure that the attackers’ ads would not get blocked.

CSO reported that this Keychain attack method was also disclosed by researchers at Beirut-based identity management company MyKi. The experts developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS. They reported their findings to Apple, but they haven’t received any response.

However, it’s worth noting that this is not exactly a new attack method and it doesn’t involve an actual vulnerability. The technique, which has been known for several years, can only be leveraged by an application that obtains root privileges (either via a vulnerability, or by tricking the user into entering the system password).

A security expert using the online moniker “noar” pointed out on Twitter that the technique was used back in 2011 by DevilRobber, a piece of OS X malware designed for Bitcoin mining and data theft.

Once a piece of malware gains root access to a system, it’s not difficult for it to read Keychain passwords. In 2012, Finnish software developer Juuso Salonen released a PoC tool, named “keychaindump,” capable of reading the plaintext Keychain passwords of logged-in users. The keychaindump tool still works today, noar noted.

“There is a design compromise in Apple’s keychain implementation that sacrifices some security for a lot of usability,” Salonen wrote in a blog post when he released his tool. “As a result, the root user is able to read all keychain secrets of logged-in users, unless they take extra steps to protect themselves. I’m sure Apple is perfectly aware of the security implications, and made the bargain intentionally.”

Apple has not responded to SecurityWeek’s request for comment by the time of publication.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.