Skip to content

Latest commit

 

History

History
74 lines (55 loc) · 2.89 KB

searchawesome.md

File metadata and controls

74 lines (55 loc) · 2.89 KB
ID X0017
Aliases None
Platforms Mac OSX
Year 2018
Associated ATT&CK Software None

SearchAwesome

SearchAwesome adware intercepts encrypted web traffic to inject ads.

ATT&CK Techniques

Name Use
Defense Evasion::Subvert Trust Controls (T1553) The malware uses certificates to gain access to HTTPS traffic. [1]
Collection::Browser Session Hijacking (T1185) The malware can modify web traffic for the purpose of injecting Javascript. [1]
Command and Control::Proxy (T1090) The malware uses mitmproxy to intercept and modify web traffic. [1]
Collection::Adversary-in-the-Middle (T1557) After installing a certificate, the malware inserts inself into a chain of custody, typically within network packets. [1]

Enhanced ATT&CK Techniques

Name Use
Execution::User Execution (E1204) The user opens a disk image file which invisibly installs its components. [1]
Defense Evasion::Self Deletion (F0007) The malware will monitor if a specific file gets deleted and then will delete itself. [1]
Privilege Escalation::Install Certificate (E1608) The malware installs a certificate. [1]
Execution::Command and Scripting Interpreter (E1059) The malware installs a script to inject a JavaScript script and modify web traffic. [1]

MBC Behaviors

Name Use
Command and Control::C2 Communication::Receive Data (B0030.002) The malware receives data from the C2 server. [1]
Impact::Manipulate Network Traffic (B0019) SearchAwesome intercepts encrypted web traffic to inject ads. [1]
Execution::Install Additional Program (B0023) The malware installs an open-source program called mitmproxy. [1]

Indicators of Compromise

  • /Applications/spi.app
  • ~/Library/LaunchAgents/spid-uninstall.plist
  • ~/Library/LaunchAgents/spid.plist
  • ~/Library/SPI/
  • ~/.mitmproxy/

Attack Flow

Attack flow for SearchAwesome based on [1].

Screenshot of Attack Flow for SearchAwesome based on Malwarebytes article.

References

[1] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection