On December 12th, Apple updated XProtect, OS X's built-in malware detection tool, to include a signature for OSX.FlashImitator.A. We analyzed the matched file and found even more samples.
For some time now, OS X has been the target of Download Valley companies such as Genieo Innovation and Conduit, until Apple published an adware removal guide. This article is about a new potentially unwanted program, a download manager: installCore installer for Macs by ironSource.
According to our research, its first public appearance is in FileZilla on SourceForge. Initially code signed by FileZilla developer Tim Kosse, the Installer developer identifier is now Fried Cookie LTD. This detail is also important for FlashImitator variants: we have two executables where the only difference is the contents of the signature section.
The installCore application mimics Apple's Installer using WebKit:
It looks for mounted disk images where it reads data injected during download. This encrypted data contains the URL of the expected product and tracking information:
Iron Armada Iron Armada is a multiplayer, space-faring combat game where players must team up to build a fleet of ships in order to survive the perils of space and defeat the opposing player faction. Build ships of all shapes and sizes, mine resources, and scavenge parts with friends to conquer the universe! Download macOS Catalina for an all‑new entertainment experience. Your music, TV shows, movies, podcasts, and audiobooks will transfer automatically to the Apple Music, Apple TV, Apple Podcasts, and Apple Books apps where you'll still have access to your favorite iTunes features, including purchases, rentals, and imports.
The download manager next offers unofficial Yahoo! Search browser hijacking extensions for Chrome, Firefox, Safari, and the usual OS X affiliation suspects. Fortunately, it's possible to skip each offer, and the disk image downloaded is a copy of the standard Adobe disk image.
Installer behaves according to downloaded file. If the file is a disk image and contains an application, the program kills all product processes, mounts the disk image, and copies its *.app to Applications folder:
Iron Armada Mac Os Update
Adobe distributes Flash Player as a disk image with an application to install a local package. In order to improve user experience, the FlashImitator download manager installs another installer.
During our research, we found another variant, a major rewrite featuring encrypted resources. This makes other samples look like proofs of concept. This sample is signed by Fried Cookie LTD too but is related to Softonic:
As we also found a few software companies delivering their products through the installCore download manager, we recommend that users pay attention to the growing amount of free offers and the personal data they give away to these companies in exchange.
With many variants not related to Flash, we detect these download managers as OSX.IronCore.A.
Analyzed samples:
Iron Armada Mac Os X
Edit: Apple renamed OSX.FlashImitator.A to OSX.InstallImitator.A on February 13th.
Iron Armada Mac Os Catalina
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.