Written byChris Bing
A digital marketing firm based in Tel Aviv attempted to silence a group of researchers after they found that the company was responsible for highly intrusive advertising software which infected upwards of 10,000 Apple computers since 2016.
New research by Israeli company Cybereason shows that TargetingEdge, a secretive advertising technology firm, had developed and spread “OSX.Pirrit,” a covert piece of software that can manipulate browsers, track users’ activity and forcefully load digital advertisements. These advertisements appear to be scams, including fake, paid Apple customer channels and disreputable anti-virus software downloads.
The lead project researcher, Amit Serper, described OSX.Pirrit as malware because the program gains root access to a victim’s device and attempts to remain hidden in order to avoid being uninstalled or tracked by anti-virus products.
Cybereason was able to connect OSX.Pirrit to TargetingEdge by studying how the command-and-control infrastructure behind the adware would call back to certain domains. In several cases, it appeared developers had made an operational security mistake, leaving clues in the open about who registered several servers. These registration details included the names of TargetingEdge employees, several of whom owned LinkedIn accounts with publicly available information about their employer.
“TargetingEdge has taken extraordinary efforts to distance itself from from the code that’s running on an amazing number of machines worldwide,” Cybereason stated in a release.
Serper told CyberScoop that the developers had clearly adopted several techniques typically found in conventional malware. He added the finding speaks broadly to the changing adware market, where marketers continuously seek the latest and most effective software to provide new levels of access and information about potential customers’ behavior.
“Many adware companies employ security researchers or reverse engineers to understand how the operating system works and how to stay stealthy and gather as much data as needed,” explained Serper. “There are several other companies [who do this sort of stuff]. A bunch of them are Israeli.”
What makes OSX.Pirrit so unique is how”aggressive” it is — “you’ll see new tabs spawning all the time … [and] the whole computer starts to be slow after about 5 minutes of browsing,” Serper described. The software’s underlying, primary purpose is to hijack a user’s browser in order to spy on them. Most of the infections associated with OSX.Pirrit come from users who click on disreputable web pages or applications, which cause the software to download.
“I first came across OSX.Pirrit last year,” Serper said. “The thing that set it aside back then was how ‘violent’ it was. It was adding a hidden root user with a random name, it was creating processes with random names, and it is nearly impossible to remove unless you know OSX internals very well. … It has every property of malware — from the DGA-like domains down to masking its files as apple config files — the whole thing stinks to high heavens.”
Shortly before Cybereason published the research, the advertising company attempted to muzzle the report’s authors by sending a cease and desist letter.
Serper told CyberScoop the letter was the first time TargetingEdge reached out to Cybereason, although Serper had already published two previous blog posts about OSX.Pirrit. The lack of contact is also strange, said Serper, because it appeared that each subsequent blogpost had caused OSX.Pirrit’s developers to change their tactics, migrate to new infrastructure and edit computer code to escape detection. In other words, while TargetingEdge remained quiet they appear to have taken into account the fact that their tool was under scrutiny.
A total of 29 antivirus engines on Virus Total classify OSX.Pirrit as a threat. However, while it posses the capability to do considerable additional damage, it seems only to be focused on delivering advertisements.
“Other than the disgusting ways they install [OSX.Pirrit] on a system, I didn’t find any evidence to arbitrary command execution ‘for fun’ – everything was meant to display ads,” Serper said. “There is one function there that its sole purpose is to execute commands on the victim’s machine but they use it for the purpose of installing themselves … It has some remote access trojan-like capabilities but they aren’t using them for remote access trojan purposes.”
Serper believes the OSX.Pirrit product is likely sold to third parties as part of a software development kit (SDK).