A new version of MacOS Adware Pirrit spotted in the wild

Our malware research team had spotted a new and advanced version of MacOS Adware Pirrit.
The delivery method is the same “Your Mac is infected” scamware page, where the user is tricked to download some sort of application to “clean” their Mac.

The spotted package that will drop everything is called: “Your File Is Ready To Download.dmg”

MD5 (Your File Is Ready To Download.dmg) = 1b25d2413dd5b1e99a6e3f8678784b6b

After the install, the application silently launches a bash script called lconf.sh, which was previously downloaded in the /tmp folder.
The script is profiling the Mac and download the payload from an Amazon EC hosted C2 (command and control).

The downloaded files are:

MD5 (cre.tar) = adbf8cf6427cbda0c47044d536d378e9
MD5 (ervsc.tar) = 2d5247f7bd61e0da13872a2026068497
MD5 (wpeps.tar) = b37f163352b3bb23c3369b5d9a0345f3

The files are payloads for various rogue applications and a new Safari browser extension called PlayerWeb.safariextz

Domains spotted to serve as C2 (command and control) and profiling network:


Some indicators of compromise:

~/Library/Application Support/TOpstring

The adware samples can be downloaded from the VirusBay platform.

We detect this malware as MacOS.Malware.PirritV2019.

Scan your Mac OS NOW with CyberByte Antivirus for Mac to check if YOU are infected!

Get your CyberByte™ Antivirus copy from https://mac.cyberbyte.org/download/CyberByte.pkg
CyberByte™ – part of CSD Cyber Smart Defence group of companies
Your Safety is Our Mission!