Crossrider Adware Still Causing Unwanted Mac Browser Redirects

There exists a pervading urban legend that Apple Macs don’t get viruses. Time and again this urban legend is proved to be as factual as all the conspiracy theories that float about online combined. A new variant of the adware Crossrider again proves the urban legend to be nothing more than an urban legend. While Macs may not get viruses as they used to be defined (more on this later), they can be infected with malware.

Crossrider was discovered infecting systems running Mac OS as early as 2013, with new variants being detected frequently since then. In 2018, a variant was detected and subsequently analyzed. On its face, the variant was nothing too out of the ordinary when compared to its earlier cousins. Upon closer analysis, what did differ was how the new variant achieved its persistence on an infected system. Persistence is a goal shared by many a malware author—those with a focus on cyber espionage see persistence on a targeted device as essential, while others see it as a handy way to keep a thorn in the side of the victim. While some malware authors and hackers are content to copy those who have gone before them, often making detection easier, others are far more creative.

Upon analysis, it turned out that the variant discovered in 2018 would alter configuration settings to remain on the infected system despite efforts to remove it. By installing a configuration setting, the malware can perform actions on a Mac that normal software—or, in this case, malware—would not be able to do. In the case of the 2018 variant, this configuration profile forces both Safari and Chrome to always open to a page on chumsearch.com. To make matters worse, this setting could not be changed via the browser’s settings. The configuration profile then installs another identifier of com.myshopcoupon.www, which is not visible in System Preferences.

What, then, separates the new variant discovered recently from the one discovered in 2018? Honestly, very little. The difference between the newest and the slightly older variant resides in to which domain the compromised configuration setting directs victims—searchmine.net, in the latest variant. The two variants even share the same infection process.

Here is a screenshot of a rogue system configuration profile that blocks user’s attempts of changing one’s homepage and default internet search engine settings:

Rogue system configuration profile installed by crossrider adware

The infection process is where the creativity ends—this version relies on the victim installing a fake Adobe Flash Player installer. This tactic, common in the extreme, is used in both Mac malware and Windows malware. Only in the appearance of the installers does one find a difference between the latest variant and the one discovered.

Here is a screenshot of the latest Crossrider adware installer:

crossrider adware installer (Mac)

Opening the installer results in a familiar installation process used by other malware variants in the past. In the course of installation, a copy of Advanced Mac Cleaner is dumped onto the hard drive, which tells the user it has found problems with your system using Siri’s voice. No problems exist until this point; rather, the malware attempts to present an air of legitimacy to the victim. Safari also pops open and then closes again suspiciously—again, to make it appear as if Advanced Mac Cleaner is a legitimate program looking out for your safety. In the 2019 variant, its name has changed to Mac Cleanup Pro.

Here is a screenshot of the Mac Cleanup Pro potentially unwanted application:

Mac Cleanup Pro unwanted application

The latest variant of Crossrider adware redirects Mac users to searchmine.net website. Its previous variant caused redirects to the weknow.ac URL.

Here is a screenshot of searchmine.net URL set as victim’s homepage and default internet search engine:

searchmine.net browser hijacker

What’s the Harm?

Despite the copy-and-paste nature of the new variant of Crossrider, it still poses a threat to Mac users. While some might argue that it is merely adware and irritating, the reality is that users are becoming infected with adware that could one day morph into something more sinister. In 2017, a piece of spyware called Fruit Fly—which used a combination of old outdated code to remain undetected on infected systems—combined old tactics with new tactics to become a reliable and stealthy piece of spyware capable of switching on webcams and even notified the hacker when a user was active on their machine.

In the case of Crossrider, it does very little that is new or innovative but is still capable of infecting users. If this tried and tested infection method using a compromised Flash installer still works, questions need to be asked if Macs are inherently safe as some believe and are users believing the myth unquestionably. A quick search on any popular search engine will reveal that Macs are not as safe as believed. It is difficult to pin down exactly what started the belief that Macs are more secure than their Window’s brethren; however, a likely candidate may be a clever marketing campaign from 2006, which premised the idea that Macs don’t get viruses. There is a grain of truth to this, as viruses were defined as a malicious program that attaches itself to other files to be spread. This method of attaching spreading is rare, and in modern cybersecurity, there are only a tiny number of Windows viruses.

Rather than talking about viruses researchers refer to malicious software or malware. Malicious software can be software that provides access to the computer via a backdoor, spyware that logs keystrokes and captures pictures with the webcam, ransomware that encrypts the user’s files to hold them for ransom or steals important pieces of personal information. Malware certainly exists that is designed to infect Macs. While Macs may not get viruses, as defined in earlier years, they certainly can be infected with malicious software. Two of each have been provided as examples above. The truth is that there are far less Mac-specific malware variants out there when compared to Windows. In 2012 there was a spike in detected Mac malware mainly in the form of potentially unwanted programs, or PUPs, of which Crossrider is one. These can be attributed to the growing popularity of Mac products and their OS.

Mac Computers Don’t Get Infected?

The myth that Macs don’t get viruses has been debunked on several occasion it still persists. Some might agree that the myth is debunked, then in the next sentence argue that OS X is an inherently safer operating system and it already includes anti-malware software in ProjectX and Gatekeeper. And like with the “they don’t get viruses” myth, there is a bit of truth. Ever since Apple switched to a Unix operating system, a system seen as security-orientated, the operating system has become more secure. But no operating system is faultless and it has been proven that the security features included in the OS can be circumvented. Again, it is the number of threats designed to circumvent these features that lead to the false belief. There are far fewer pieces of malware actively targeting users of Macs. That doesn’t mean the operating system is inherently safer; rather, hackers often look to target Windows users as there are far more, thus increasing the likelihood of success.

As to the inclusion of anti-malware software, it’s a positive development no doubt, but this often is seen as a reason not to get dedicated security products such as firewall and anti-virus packages. Gatekeeper, ProtectX and other similar features do increase the security posture of the device; however, they are limited by design. Application firewalls will block incoming communications but cannot block outgoing communications. Gatekeeper is still vulnerable to malware that uses exploits. And XProtect will protect you only against certain specific, prevalent malware only once a malware definition is uploaded. Each, while good, is limited and several products exist to shore up these defensive holes.

It can also be argued that it is not because of a security flaw within Mac that allows for the spread and infection of adware such as Crossrider, for example, but rather the user’s attitude to security. If a user absolutely believes in the infallibility of their Mac, they will find it hard to believe that they can become a victim of a malware infection. Semantics about what is and what is not a virus does not necessarily help inform the argument. Only those who experience a ransomware infection first-hand will want to prevent any further infection. Therein lies the rub: It should not be that one has to become a victim first to become more aware of the limits of your security. And myths regarding how secure something is may be further contributing to this downward spiral. Until the myths are thoroughly debunked—which many of them have been—and attitudes change, Crossrider will continue to evolve despite being preventable.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard
Tomas Meskauskas

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 6 posts and counting.See all posts by tomas-meskauskas