Mac OSX Fake Installer / Malware Spotted in the Wild


« A Preview of What's Next | Main | When Antivirus Software Fails You: How to Stop (and Defeat!) a Real-World Trojan & Social Engineering Attack »

04/13/2017



Mac OSX Fake Installer / Malware Spotted in the Wild

Kevin R. Smith
Co-Editor


 

OSX-Malware-Social-Engineering-Installer

 

Whilst traversing The Tubes yesterday doing some research on credit card processing across a host of different sites, I was hit with an old school malware installer technique with a couple of new twists at one of them. (That's what it looks like above.)

What's old school about it, is it's using an old social engineering ruse to trick people into installing it. Make no mistake: it's fake software. Well, it might play media files, but I guarantee there's some sort of unwanted malware / adware payload along with it.

As you can tell from the Finder icon in the top left, and the "Accept and Install" button in the lower right, it's obviously geared for people on a Mac, and here are some telltale signs it's fake.

  1. Every media type that matters is playable out of the box on a Mac.
  2. "Media Player" is Windows-only software, and it's built into Windows, i.e. no need to install it like this.
  3. The Accept and Install button and the Finder icon are the (now very) old Mac interface style.
  4. Powered by "MediaDownloader," yet the software is called, "Media Player"? 
  5. What the heck is the Finder icon even doing on a an installer for a third-party product?

 

Curiously, both Bitdefender and Webroot for Mac missed identifying the serving URL as malicious:

cdn.brigeo.info

(Whether it has a trojan or some other malicious payload or if it's "just" adware, I don't know, and honestly, does it really matter? Its goal is to trick people into installing it.)

So, if you come across this bugger (or something similar in the wild), get the heck out of Dodge and for cryin' out loud, keep your mouse away from the  "Accept and Install" button, will ya?

 

 

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.