Is SearchMine Adware Teeing Up Your Endpoints For Other Threat Actors?

Notorious macOS adware nuisance SearchMine had a small but interesting update recently as it continues to plague macOS users with browser hijacking, search redirections and system slowdowns. The name SearchMine refers to a particular browser hijacker, but it rarely travels alone and is typically found installed alongside a bundle of other potentially unwanted applications, adware offerings, bundle installers, and sketchy ‘cleaner’ or fake AV software like Advanced Mac Cleaner and Mac Cleanup Pro. 

As SearchMine has been around for quite some time, even legacy security software will detect some versions of SearchMine and other elements of its family that go by various names such as ‘Bundlore‘, ‘Crossrider’ and ‘Bnodlero’. However, the developers behind this nuisance, which saps resources and harms user productivity, are always looking for new ways to persist, reinfect and escape detection. In this post, we discuss a recent change to SearchMine and describe how the adware collects and uploads detailed device information to its own servers even though it appears to have little use for that data itself.

What is SearchMine Adware?

SearchMine is part of a larger family of adware that is propagated with brand names like ‘MyCouponSmart‘, ‘MyMacUpdater’, ‘MMInstall’ and many others. The main aim of the SearchMine component is to redirect the user’s search traffic to its own landing page at www[.]searchmine[.]net. The adware primarily looks to infect Safari and Chrome browsers, but Firefox has also been targeted in some infections. 

What makes SearchMine particularly concerning for enterprise security is not just the nuisance value to staff and the drain on resources and productivity but also the fact that the adware collects and exfiltrates a lot of information about the host machine. This includes a unique machine ID, versions of the OS and browsers, a list of installed applications, global LaunchAgents and LaunchDaemons and, interestingly, the installed version of Apple’s MRT.app (Malware Removal Tool.app).

Although in our test machine (shown below) this amounted to very little as we use only a barebones VM, on an enterprise device this is likely to contain a lot more interesting data. A list of installed apps, agents and daemons is valuable intel to threat actors as it indicates both possibilities for exploiting vulnerable software and whether a machine contains security software that could catch malware. Exactly why these particular adware developers are interested in collecting and exporting this information isn’t known, but at least one reason might be to sell it on to other threat actors in DarkNet forums or other digital marketplaces.

image of script showing how adware scrapes device data and exports it to their own servers

Other reasons to be concerned about this adware pest from a security perspective include the fact that it also requests elevated privileges on installation, and then modifies the sudoers file to allow the current user to run as root without further password challenges. . When certain people argue whether adware is really malware, we find that behaviours such as this blur the line to the point that, at least from the enterprise point of view, that is a distinction that really doesn’t matter.

image of how a malicious script manipulates the sudoers file on macOS

UpToDateMac – SearchMine’s Latest Update Mechanism

As with most commodity adware and malware, SearchMine leverages multiple LaunchAgents and LaunchDaemons for persistence. It will also typically install user-level Profiles to lockdown Chrome and Safari preferences so that regardless of what the user sets in the browser for things like home page and preferred search engine, these will be overridden by the global Managed Preferences determined by the installed Profile .mobileconfig file.

One of SearchMine’s user LaunchAgents typically has the following program arguments, where User1 is the current user’s shortname.

image of malicious launch agent's program arguments on macOS

Note that the executable being pointed to, MyMacUpToDate in this case, is in the non-standard location of ~/Applications rather than /Applications. The base64 decodes as follows.

image of malicious base64 decoded

In a recent incident, we noticed both this file and a newer, second LaunchAgent that took the following form:

image showing launch agent program arguments in new variant of SearchMine adware

Again, note the non-standard Applications folder location, but also the -E flag for sudo. This flag indicates that the program should be launched while preserving the user’s existing environment variables, which itself suggests the executable is likely a shell script – something that is becoming increasingly favored by macOS threat actors – rather than an application or machO executable.

On further investigation, it turns out that UpToDateMac is indeed a shell script that makes heavy use of environment variables and has a few other interesting features worth noting.

Digging Deeper into the UpToDateMac Shell Script

Although a copy of the shell script was blocked and deleted on the user’s machine before it could execute, a quick search on VirusTotal returned us a copy that had been uploaded in early February.

4ab52dd99ecf269cf74ff9334dec015ad0184659ba848fd762dabc650e00a575

image of malicious adware script UpToDateMac being detected on VirusTotal

One of the first interesting features we noticed about the script was that it includes a kill mechanism.

image of how adware script checks for existence of a touch file before running

The script aborts its malicious behavior if it finds a 0-byte file in ~/Library/Application Support/ with the filename .upd2006. If the file doesn’t exist, the script writes the file with touch and continues with its execution. 

The script then creates an MD5 hash from the Mac’s serial number and collects the version numbers of Safari and Chrome browsers.

image showing how the adware script collects browser version data

Making good use of LOLBins (Living off the Land binaries) the script then downloads a Profile template via curl, modifies it with the sed stream text editing utility, and installs it with the native profiles command. As mentioned earlier, this serves to lock down the user’s browsers so that they cannot change the home page and other preferences from within the browser.

image showing how the adware script downloads a template mobile config file and populates it with data to lock down the user's browser preferences

Among other operations aimed at updating the installation, the script goes on to gather the list of applications on the user’s machine, the list of Profiles, LaunchAgents, LaunchDaemons and the MRT version. The whole bunch is then concatenated and uploaded in JSON format to the mmp[.]myshopcouponmac[.]com domain.

image showing how the adware script gather version data on Apple's built-in Malware Removal Tool

Although the domain was apparently registered in 2018, there are unsurprisingly few details about it. It runs on an old and (ironically) vulnerable version of nginx on an Ubuntu server.

image of DNSDumpster showing minimal info for the attackers server

Perhaps equally unsurprisingly, however, is that the domain has been queried a couple of dozen times in the last few months on VirusTotal.

image of submissions on Virus Total about the threat actors ip address

Conclusion

In this post, we’ve taken a quick look at a recent update to one of the Mac’s most prevalent browser hijackers, SearchMine, and its related adware family MyShopcoupon and friends. The key takeaway here for enterprise security is to be aware that these actors are not just annoying your users and impacting their productivity, they are also gathering detailed information about devices on your network, their installed applications and legitimate persistence mechanisms in the form of LaunchAgents and LaunchDaemons. 

Since such information is beyond the first order need of simply making money from browser redirections, it seems the actors may be building a datalake out of such information, presumably with intent to monetize that further down the road. Although at a research level there is some utility in distinguishing between ‘malware’ and ‘adware’, at the endpoint level, they both represent a compromise to your organization’s integrity.

The key to preventing device data ending up in criminals’ hands is to prevent such malicious software from executing on your endpoints to begin with. If you would like to see how the SentinelOne platform can protect your organization from adware, malware and other threats contact us today or request a free demo

SAMPLE

SHA 256: 4ab52dd99ecf269cf74ff9334dec015ad0184659ba848fd762dabc650e00a575

INDICATORS OF COMPROMISE

~/Library/Application Support/.upd2006 ~/Library/LaunchAgents/com.MyMacUpToDate.agent ~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist ~/Applications/MyMacUpToDate
~/Applications/UpToDateMac/UpToDateMac

URLs

mmp[.]myshopcouponmac[.]com
request[.]mymacuptodate[.]com/macCheckForUpdates


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Okta launches Lifecycle Management Workflows to make building identity-centric processes easy

Okta, the popular identity and access management service, today used its annual (and now virtual) user conference to launch Lifecycle Management Workflows, a new tool that helps IT teams build and manage IFTTT-like automated processes with the help of an easy to use graphical interface.

The new service is an extension of Okta’s existing automation tools. But the key here is that IT teams and developers can now easily build complex identity-centric workflows across a wide range of applications. With this, these teams can easily automate an onboarding process, where setting up a new Okta account also immediately kicks off processes on third-party services like Box, Salesforce, ServiceNow and Slack to set up accounts there. The same goes for offboarding workflows and username creation. A lot of companies still do this manually, which is not just a hassle but also error-prone.

“Adopting more technology is incredibly beneficial for enterprises today, but complexity is a significant side effect of a changing technology ecosystem and workforce. There is no better example of the potential challenges it can create than with lifecycle management,” said Diya Jolly, chief product officer at Okta. “Okta’s vision of enabling any organization to use any technology goes deeper than just access; it’s about improving how organizations use technology. Okta Lifecycle Management Workflows improves the efficiency and security of enterprises through its simple user experience and broad applicability, keeping organizations secure and efficient without requiring the complexity of writing code.”

Okta, of course, had lifecycle management features before, but now it is also putting its acquisition of Azuqua to work and using that company’s graphical interface and technology for making it easier to create these automation processes. And while the focus right now is on processes like provisioning and de-provisioning accounts, the long-term plan is to expand Workflows with support for more identity processes.

As Okta also stresses, administrators can also manage very granular access across the supported third-party tools like assigning territories in Salesforce or access to specific group channels in Slack, for example. For temporary employees, admins can also set up automatic de-provisioning workflows that revoke access to some tools but maybe leave access to payroll services open for a while longer. There are also built-in tools for automatically managing conflicts when two people have the same name.

“Millions of people rely on Slack every day to make their working lives simpler, more pleasant and more productive,” said Tamar Yehoshua, chief product officer at Slack, one of the early adopters of this service. “Okta Lifecycle Management Workflows has significantly increased efficiency for us by automating the provisioning and de-provisioning of users from applications in our environment, without us ever having to write a line of code.”

This new feature is part of Okta’s new Platform Services, which the company also debuted today and which currently consists of core technologies like the Okta Identity Engine, Directories Integrations, Insights, Workflow and Devices. The core idea behind Platform Services is to give Okta users the flexibility to manage their unique identity use cases but also to give Okta itself a platform on which to innovate. One other new product that sits on top of the platform is Okta Fastpass, for example, which allows for passwordless authentication on any device.

A former chaos engineer offers 5 tips for handling online disasters remotely

I recently had a scheduled video conference call with a Fortune 100 company.

Everything on my end was ready to go; my presentation was prepared and well-practiced. I was set to talk to 30 business leaders who were ready to learn more about how they could become more resilient to major outages.

Unfortunately, their side hadn’t set up the proper permissions in Zoom to add new people to a trusted domain, so I wasn’t able to share my slides. We scrambled to find a workaround at the last minute while the assembled VPs and CTOs sat around waiting. I ended up emailing my presentation to their coordinator, calling in from my mobile and verbally indicating to the coordinator when the next slide needed to be brought up. Needless to say, it wasted a lot of time and wasn’t the most effective way to present.

At the end of the meeting, I said pointedly that if there was one thing they should walk away with, it’s that they had a vital need to run an online fire drill with their engineering team as soon as possible. Because if a team is used to working together in an office — with access to tools and proper permissions in place — it can be quite a shock to find out in the middle of a major outage that they can’t respond quickly and adequately. Issues like these can turn a brief outage into one that lasts for hours.

Quick context about me: I carried a pager for a decade at Amazon and Netflix, and what I can tell you is that when either of these services went down, a lot of people were unhappy. There were many nights where I had to spring out of bed at 2 a.m., rub the sleep from my eyes and work with my team to quickly identify the problem. I can also tell you that working remotely makes the entire process more complicated if teams are not accustomed to it.

There are many articles about best practices aimed at a general audience, but engineering teams have specific challenges as the ones responsible for keeping online services up and running. And while leading tech companies already have sophisticated IT teams and operations in place, what about financial institutions and hospitals and other industries where IT is a tool, but not a primary focus? It’s often the small things that can make all the difference when working remotely; things that seem obvious in the moment, but may have been overlooked.

So here are some tips for managing incidents remotely:

There were many nights where I had to spring out of bed at 2 a.m., rub the sleep from my eyes and work with my team to quickly identify the problem… working remotely makes the entire process more complicated if teams are not accustomed to it.