Mughthesec
Mughthesec is a PUP (Potentially Unwanted Program) that has been spreading to Mac users. The dubious application relies on deceptive distribution tactics that hide the fact it is being installed on the user's Mac system. Analysis carried out by the infosec researcher Patrick Wardle revealed that Mughthesec is a newer version of a previously detected PUP named SafeFinder/Operator Mac.
The Mughthesec application is injected into a fake Adobe Flash installer that is dropped onto the user's device. The fake installer is equipped with a VM-detection routine. If a virtual environment is discovered, the installer will deliver a legitimate copy of Flash. In all other cases, the PUP will contact its Command-and-Control (C2, C&C) server and deliver a host of dubious applications to the device including a rogue utility application named Advanced Mac Cleaner, the Safe Finder adware, and a browser hijacker named Booking.com.
The combination of all these hoax applications will lead to a severely diminished experience while using the affected device. The Web browser will be overtaken - the homepage will now open the main page of a fake search engine, while the search engine for the URL address bar will be changed through a Safari extension named AnySearch. At the same, time the Advanced Mac Cleaner PUP will try to scare users into buying its paid versions through fake warning messages about non-existent malware threats or other issues that have supposedly been detected.
To deal with the consequences of Mughthesec, users will first have to remove all of the additional applications that were delivered to their computers. Afterward, delete the launch agent established by Mughthesec located at the ~/Library/LaunchAgents/com.Mughthesec.plist location.
Apple has revoked the developer certificate abused by Mughthesec to sign its files so macOS will block any future attempts to run this version of the fake Flash installers. However, there is no doubt that the scammers behind Mughthesec will soon unleash a new version with a different certificate. Mac users should stay vigilant and pay attention to the applications they are installing.
