This IP address, 192.64.119.107, appears to be rather malicious: Moving on to 'Safe Finder', BlockBlock as alerts us of a process named 'i' persisting something named 'Mughthesec as a launch agent.Īn open-source process monitoring utility I wrote (based on the Proc Info library) shows Mughthesec being started by the Installer application ( FlashPlayerInstaller, pid: 490): It also kindly informs us of several 'critical' issues.
#ADVANCED MAC CLEANER SAFE INSTALL#
Not too unexpectedly, the Advanced Mac Cleaner triggers a few BlockBlock warnings as it attempts to install a persistent launch agent and login item: Since we're playing along, we click 'Next' to install it all! Once the outgoing connection is allowed, the Installer application kindly asks the user to install some 'adware' and potentially unwanted programs: To change the VM's mac address, shut it down, then change it via the VM's Network Adapter's settings (click 'Advanced Options' to modify the MAC address).Īlright, let's run the damn Installer.app already!įirst thing, LuLu (my soon-to-be-released macOS firewall!) detects an outgoing network connection: Apparently this is common trick used in macOS adware! Thomas Reed ( correctly guessed that this 'VM detection' is done by examining the MAC address (VMWare VMs have 'recognizable' MAC address). This is required step, because it turns out that the installer actually doesn't do anything malicious, (besides actually installing a legit copy of Flash), if it detects it running in VM. Now, before we run this in a VM - let's change the MAC address of the virtual machine. $ strings -a ~/Downloads/Mughthesec/Installer.app/Contents/MacOS/mac | grep http
![advanced mac cleaner safe advanced mac cleaner safe](http://www.advancedwaterrestoration.com/images/blog/cooking-safety-to-avoid-fire-damage.jpg)
Using spctl, we can confirm the disk image's certificate is still valid (i.e. Using WhatsYourSign, we can examine the signing info: Uploaded to VirusTotal on August 4th as Player.dmg, it currently remains undetected: Let's start with the installer disk image.
![advanced mac cleaner safe advanced mac cleaner safe](https://www.pcrisk.com/images/stories/screenshots201805/maccleanpro-homepage.jpg)
Gavriel was kind enough to share a sample ( 'Mughthesec') with me, and that, coupled with the assistance from another security researcher, led to recovery of what appeared to be the original installer (sha256: f5d76324cb8fcae7f00b6825e4c110ddfd6b32db452f1eca0f4cff958316869c)Īs neither the sample, Mughthesec, nor the (signed!) installer were detected by any AV engines on Virus Total I decided to take a closer look. ~/Library/Application Support/com.Mughthesec/Mughthesec.Only in Safari." Following another user's suggestion, 'giveen ' ran EtreCheck which noted several "unknown files:" Posted on August 2nd, user 'giveen' stated that, "Only in Safari, when this specific user logins, it does not render Gmail correctly. Interestingly, googling " Mughthesec" only returned one relevant hit a post on Apple's online's forums tilted "Safari does not render Gmail correctly". Yesterday Gavriel State ( posted an interesting tweet:
![advanced mac cleaner safe advanced mac cleaner safe](https://malwarefixes.com/wp-content/uploads/2017/03/mac-clean-plus.png)
Want to play along? I've shared the adware, which can be downloaded here (password: infect3d).