Connect with us

Hi, what are you looking for?


Endpoint Security

Israeli Ad Company Behind “Pirrit” OS X Adware: Report

Mac users can be exposed to malware and applications that engage in other types of nefarious behavior just as Windows users are, the latest development in the OSX.Pirrit adware reveals.

Mac users can be exposed to malware and applications that engage in other types of nefarious behavior just as Windows users are, the latest development in the OSX.Pirrit adware reveals.

Spotted for the first time in April, the malicious program was created to reroute a Mac’s entire Internet traffic to a local proxy, to create a hidden user on the machine, to hide its installation and to prevent users from blocking the ads it could inject into their web traffic. The malware, an OS X port of a Windows adware, has since seen an update that removed the Windows binary in the original version.

Amit Serper, Lead Linux and Mac OS X Security Researcher, Cybereason, revealed (PDF) back in April that the threat was spreading via drive-by downloads masquerading as fake updates. Once executed, it would prompt the user to enter their password, thus gaining root privileges. Unlike its Windows counterpart, however, OSX.Pirrit was drawing closer to leaving the adware category and becoming malware.

On a compromised machine, the adware changes the browser search engine, creates a hidden user on the machine, and installs an ad injecting proxy and a clickjacker. By redirecting all of user’s web traffic through an HTTP proxy, the adware could inject ads into webpages. The adware would appear in the list of running processes and the large number of ads would signal to the user that there’s something wrong with the machine, the researcher said.

Serper also released a remediation script to help users infected with the adware, but the recent update the malicious app received renders the script useless, the researcher says. In a new report (PDF) on this threat, he also explains that the adware was created by an Israeli-based ad company and that, although OSX.Pirrit is only used to serve ads for the time being, it can easily turn malicious and completely take over the victim’s machine.

In his report, the Cybereason researcher reveals that the latest version of OSX.Pirrit was created by an executive of TargetingEdge, which claims to be an “online marketing” company. A look at the company’s LinkedIn page revealed that it offers a “mac-approved installer,” and that it can provide “the unique opportunity to monetize extensive remnant mac traffic and gain additional revenue from an already existing user pool.”

Evidence of OSX.Pirrit being created by this company is overwhelming, the researcher says: the malware’s ad-injection proxy was dropped as a tar.gz archive that saves all of the file attributes inside it, including owners and permissions. Basically, the archive revealed the owner of the computer that it was created on, which allowed the researcher to link it to TargetingEdge.

Advertisement. Scroll to continue reading.

Serper also discovered that the new variant includes additional code that allows it to check for competing programs on the compromised machine and remove them. Moreover, the new version has 14 new hidden users. Other than that, the program appears to work the same as before, and even to employ the same distribution scheme: it comes packed within legitimate software, such as MPlayerX, NicePlayer and VLC.

The main issue here, the researcher says, is that the user is never informed on the fact that it installs adware alongside the legitimate app, although this is the case with most adware on Windows. He also notes that, not only aren’t users made aware of what they install, but they aren’t provided with the possibility to opt out either. Not to mention that OSX.Pirrit’s uninstall instructions aren’t easy to access at all.

“OSX.Pirrit allows attackers to take full control of a computer. Instead of flooding a person’s browser with ads, attackers could have installed a keylogger to capture log-in information to your bank account or made off with your company’s intellectual property. Companies need to know what’s happening on their machines, including Macs, because the instant an enterprise doesn’t, they’re compromised,” the researcher concludes.

In December, Symantec said that the number of OS X malware infections in the first nine months of 2015 was seven times higher than in all of 2014, although the number of newly detected threats dropped. Some of the most recent threats to OS X users include the OceanLotus Trojan and the KeRanger ransomware.

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...