SearchPageInjector

The SearchPageInjector program is a Mac malware that emerged in November 2018. The SearchPageInjector malware is believed to be distributed via pirated software and cracked games. Given the scrutiny policies implemented into the Mac OS, the users are likely to disable them to load questionable software, which allowed the SearchPageInjector malware to enter their system. The SearchPageInjector program is designed to inject additional content on the pages you load in Safari, Google Chrome and Mozilla Firefox. SearchPageInjector is known to inject JavaScript from remote servers and display advertisements on the screen of infected users. The threat actors behind the SearchPageInjector malware are using an open-source HTTPS proxy client called 'mitmproxy' (https://mitmproxy.org) to facilitate a man-in-the-middle attack on the network traffic on the infected devices. The 'mitmproxy' toolkit allows them to change HTTPS connections and include insecure resources from remote servers.

Incident reports associated with SearchPageInjector suggest that it is used to push targeted advertisements primarily. However, cybersecurity experts alert that SearchPageInjector can be used in crypto jacking campaigns. The SearchPageInjector application can load CoinHive scripts and allow third parties to mine for cryptocurrencies by hijacking the processing power of compromised machines. The users that may have been compromised by the SearchPageInjector might notice a decreased performance, increased CPU usage, pop-up windows, automatically playing video commercials and a browser extension called 'SearchPage' in their browser. The 'mitmproxy' component may add a security certificate to the Keychain Access panel under the Utilities menu that is part of the Applications system category. You can manually delete the 'mitmproxy' certificate, but it is recommended to use a credible anti-malware scanner that can delete the resources associated with the SearchPageInjector malware. AV engines are likely to flag files created by SearchPageInjector using the name OSX/SearchPageInjector.