If not, it will reach out to a C&C server, and then ask the victim to install a fake, scammy utility app (Advanced Mac Cleaner), a piece of adware (Safe Finder), and browser hijacker (): The disk image was made to look like it was a Adobe Flash installer, and if it detects that it is being run in a virtual machine, it will install only a legitimate copy of Flash. Interestingly enough, both files were signed with the same valid developer certificate, which Apple revoked soon after Wardle’s analysis. Wardle even managed to get his hands on the adware’s original installer and tested it on VirusTotal.
The sample analyzed by security researcher Patrick Wardle was not detected by a Mac AV solution, and it was lifted directly from an infected MacBook, after being spotted by a user. The malware has been dubbed Mughthesec, after the name of the app and the launch agent it installs on the target machine. The latest example falls more in the category of “potentially unwanted software” than outright “malware,” but it could easily be made to saddle users with more malicious threats. Mac malware is still a rare occurrence, so it’s no wonder that some of it can lurk, unnoticed for months, on random machines.
