Typosquatting Tactic Tricks Mac Users into Downloading Potentially Unwanted Application

by Steven Du and Luis Magisa

We have found a new attack using an old trick called typosquatting to lure new victims. This old attack method involves the use of URLs with domain names that closely resemble those of popular websites to divert people to their often-malicious sites. Many users are already wary of typosquatting, as it has been used on Windows systems since the early 2000s. Despite the aging tactic, this recent finding proves it still works, specifically in this new attack, which is designed to redirect Mac users to a website that uses exaggerated threat detection claims to push them to download a potentially unwanted application (PUA).

A common mistake

This classic attack banks on the tendency of users to make a mistake while typing in the address of a website they want to visit. An inattentive user may not notice the mistake at all, and land on a cybercriminal’s webpage deliberately named for such a scenario. The user will then be redirected to several other websites, as demonstrated in our sample where we used a misspelled YouTube (youzube).

Redirection Typosquatting Mac Users PUA
Figure 1. User being redirected to different URLs

If the user does not notice the successive URL changes on their address bar (indicating the redirection), they would eventually land on an unexpected page.

Apple Fake Website 1
Figure 2. Browser redirected to an unexpected page

As can be seen in the sample, the final page appears to be an official Apple website that notifies the user that their Mac is infected by several viruses. It is of course only a disguised malicious webpage. The warning is designed to raise panic and convince users into taking immediate action, before their suspicion is raised. It even issues a pop-up message to further drive this purpose.

Users that believe the notification might click the “Scan Now” button, which, when pressed, shows a short scan progress bar followed by its alarming “results.” These results might then further push the user to click on the “Remove Viruses Now” button on the page, which prompts the download of the Advanced Mac Cleaner, a confirmed well-known PUA (detection name OSX_AMCleaner).


Figure 3. Results of a supposed virus scan

Another attempt at going to the wrong URL (youzube[.]com) landed on a different page that was also using a similar scam tactic. Downloading the suggested solutions on that page also leads to another confirmed PUA, which is under the same family as the one we mentioned earlier.

Other attempts at opening the wrong URL led to different unknown websites. The first is a gaming website. The second is a mirror site for downloading MacKeeper. The third is a page that offers what seemed to be a video streaming application of the World Cup.


Figure 4. Webpage offering a video streaming app

For the last mentioned website, clicking on the “Download and Watch Now Button” did not lead to a video streaming application, but to a file confirmed to belong to another PUA family (detected as OSX_SHLAYER).

Potentially unwanted applications

OSX_AMCleaner

AMCleaner displays fake notifications or exaggerated system issues to scare them into buying the full version of the app from their website. The app is usually downloaded over the internet as a pkg file that displays an installation GUI when opened.


Figure 5. Installation window

The pkg file contains executable app bundles, listed below.

  • The Mac Mechanic App (detected as OSX64_AMCLEANER.MSGE517), which contains the main GUI of the app and the majority of its functions.
  • The Mmhlpr.app (detected as OSX64_AMCLEANER.MSGE917), which is responsible for message notifications. It is also responsible for launching the main app and can be found under the resource directory of the Mac Mechanic app.
  • The Mmupd.app (detected as OSX64_AMCLEANER.MSGB818), which is responsible for checking and installing updates for the PUA. It is found under the resources directory of Mmhlpr.app.

During installation, the PUA drops the said files into the following locations:

  • /Applications/Mac Mechanics.app
  • ~/Library/Application Support/mmc/mmhlpr.app

After completing the installation, the PUA initiates a scan of three locations in the user’s system: Library/Logs, Library/Cache and Library/.Trash. It then displays its exaggerated results.


Figure 6. Scan results

The results may convince the user to purchase the complete version of the app to address the exaggerated problems. It should be noted that the user can do some of the suggested clean up actions without any additional applications. For example, to address the Trash Manager issues, the user can simply empty trash from the desktop.

AMCleaner also runs on startup because of dropped files in the user’s system which can be found in this location: {Current User}/Library/LaunchAgents/rmmclist.plist.

OSX_SHLAYER

The second PUA file usually downloads and executes other adware into a user’s system. It is typically downloaded as an unsigned dmg installer, disguised as a flash player installer.

Checking the app bundle reveals that the main executable looks suspicious because it is randomly named. The file can be seen in the resources directory. Opening the main executable, we discover that it is not a Mach-O file — usually the file format paired with most dmg — but a bash script file (detected as  OSX_SHLAYER.RSMSGE218).


Figure 7. Main bash script

Using the OpenSSL command line tool, it decrypts the enc file found in the location Player_699.app/Contents/Resources/. The decrypted file contains another code, which is further decrypted. The final decrypted enc file is a bash script capable of several activities, listed below.

  1. Collect the OS version and UUID of the system.
  2. Attempt to send the information to its download URL: hxxp://api[.]macmagnificent[.]com/sd/?c=DGBybQ==&u=$machine_id&s=$session_guid&o=$os_version&b=312827669.
  3. Generates the $machine_id, $session_guid, and $os_version.
  4. Downloads a password protected archive containing an app bundle.
  5. Saves the archive in /tmp/{random}
  6. App bundle is executed on the system after extraction

At the time of writing, the download URL has become inaccessible and the routine was not completed.

Mistyped URLs

We found that the mistyped URL is just one of many possible URLs that lead to the same mode of attack. The WhoIs information of youzube[.]com showed the owner's registered email, and digging into the registered owner's other URLs suggested hundreds, maybe even thousands of other domains. Many of the host names closely resemble popular websites and brands.

Cybercriminals behind this kind of campaign may have cast a large net, using as many domain names as they can to distribute PUA. Although there is no direct evidence, this distribution method may be related to the increase in our detection of OSX_AMCleaner and OSX_SHLAYER from June to July.


Figure 9. Detection data for OSX_AMCleaner family


Figure 10. Detection data for OSX_SHLAYER family

Solutions and Mitigation

Even as technology continues to develop, this campaign proves that cybercriminals are not above using simple tactics to distributing malicious files. For users, this means even the simplest precaution is still as important in defending against the continuing evolution of threats. In this case, simply entering the correct URL will prevent users from landing on these malicious pages. Checking the website's domain before performing any action on the site, and downloading files or applications only from official websites or sources will help users avoid such threats.

Mac users can also take advantage of added protection from security solutions like Antivirus for Mac®, which provides comprehensive security against cyberthreats.  While enterprises can benefit from Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.

Indicators of Compromise (IoCs):

SHA 256s Detection Names
00eea75c983427969c431ad8773c06a92b417e6f73e450588bb66ba59ead7f61 OSX_SHLAYER.MANP
461e12d8afd2414b25d37d9e4fe935b7d08155aba90db7eddb205291cf0a4a61 OSX64_AMCLEANER.MSGB818
79b703c7f7d623227ffbfba8b715f300d938a045283e3a4a3d3c63dad939150f OSX64_AMCLEANER.MSGB818
871e4896cba11864126a80610f810c94d71f516805428b9b5c159ceb5e9c0ade OSX64_AMCLEANER.MSGE517
c1eaf3292ce200ddbfe8fe7456bb7464b72b6a64d67bec35ab6820b6000db175 OSX64_AMCLEANER.MSGB818
f0d6330a0f91b5224126b3abc5c513ba6bab62ce6e2adc9e87f189d0c87cb958 OSX_SHLAYER.RSMSGE218
f2cb00583a6da3aef4533fcd7973dc0d49408175e4844b49cea382912ad3747e OSX64_AMCLEANER.MSGB818


 

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.