Mac OSX Fake Installer / Malware Spotted in the Wild


« A Preview of What's Next | Main | When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack »

04/13/2017



Mac OSX Fake Installer / Malware Spotted in the Wild

Kevin R. Smith
Co-Editor


 

OSX-Malware-Social-Engineering-Installer

 

Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)

What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.

As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.

  1. Every media type that matters is playable out of the box on a Mac.
  2. "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
  3. The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
  4. Powered by "MediaDownloader," yet the software is called, "Media Player"? 
  5. What the heck is the Finder icon even doing on a an installer for a third-party product?

 

Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:

cdn.brigeo.info

(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)

So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the  "Accept and Install" button, will ya?

 

 

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Join the Discussion