Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Israeli Ad Company Behind “Pirrit” OS X Adware: Report

Mac users can be exposed to malware and applications that engage in other types of nefarious behavior just as Windows users are, the latest development in the OSX.Pirrit adware reveals.

Mac users can be exposed to malware and applications that engage in other types of nefarious behavior just as Windows users are, the latest development in the OSX.Pirrit adware reveals.

Spotted for the first time in April, the malicious program was created to reroute a Mac’s entire Internet traffic to a local proxy, to create a hidden user on the machine, to hide its installation and to prevent users from blocking the ads it could inject into their web traffic. The malware, an OS X port of a Windows adware, has since seen an update that removed the Windows binary in the original version.

Amit Serper, Lead Linux and Mac OS X Security Researcher, Cybereason, revealed (PDF) back in April that the threat was spreading via drive-by downloads masquerading as fake updates. Once executed, it would prompt the user to enter their password, thus gaining root privileges. Unlike its Windows counterpart, however, OSX.Pirrit was drawing closer to leaving the adware category and becoming malware.

On a compromised machine, the adware changes the browser search engine, creates a hidden user on the machine, and installs an ad injecting proxy and a clickjacker. By redirecting all of user’s web traffic through an HTTP proxy, the adware could inject ads into webpages. The adware would appear in the list of running processes and the large number of ads would signal to the user that there’s something wrong with the machine, the researcher said.

Serper also released a remediation script to help users infected with the adware, but the recent update the malicious app received renders the script useless, the researcher says. In a new report (PDF) on this threat, he also explains that the adware was created by an Israeli-based ad company and that, although OSX.Pirrit is only used to serve ads for the time being, it can easily turn malicious and completely take over the victim’s machine.

In his report, the Cybereason researcher reveals that the latest version of OSX.Pirrit was created by an executive of TargetingEdge, which claims to be an “online marketing” company. A look at the company’s LinkedIn page revealed that it offers a “mac-approved installer,” and that it can provide “the unique opportunity to monetize extensive remnant mac traffic and gain additional revenue from an already existing user pool.”

Evidence of OSX.Pirrit being created by this company is overwhelming, the researcher says: the malware’s ad-injection proxy was dropped as a tar.gz archive that saves all of the file attributes inside it, including owners and permissions. Basically, the archive revealed the owner of the computer that it was created on, which allowed the researcher to link it to TargetingEdge.

Serper also discovered that the new variant includes additional code that allows it to check for competing programs on the compromised machine and remove them. Moreover, the new version has 14 new hidden users. Other than that, the program appears to work the same as before, and even to employ the same distribution scheme: it comes packed within legitimate software, such as MPlayerX, NicePlayer and VLC.

The main issue here, the researcher says, is that the user is never informed on the fact that it installs adware alongside the legitimate app, although this is the case with most adware on Windows. He also notes that, not only aren’t users made aware of what they install, but they aren’t provided with the possibility to opt out either. Not to mention that OSX.Pirrit’s uninstall instructions aren’t easy to access at all.

“OSX.Pirrit allows attackers to take full control of a computer. Instead of flooding a person’s browser with ads, attackers could have installed a keylogger to capture log-in information to your bank account or made off with your company’s intellectual property. Companies need to know what’s happening on their machines, including Macs, because the instant an enterprise doesn’t, they’re compromised,” the researcher concludes.

In December, Symantec said that the number of OS X malware infections in the first nine months of 2015 was seven times higher than in all of 2014, although the number of newly detected threats dropped. Some of the most recent threats to OS X users include the OceanLotus Trojan and the KeRanger ransomware.

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...