Jump to content

Recommended Posts

LittleSnitch (3rd party firewall) prompted me on an outbound connection from an application I didn't recognize in ~/Library/Application Support/AppPolicy/AppBox. It was attempting to connect to www. unionsoftwareonline. com. Doing some digging this site appeared to be associated with the PUP/Adware "AppMonitor".

I ran a Malwarebytes scan and it detected three components related to Adware.Spigot:

2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/Firefox/Profiles/6kxmn62h.default/searchplugins/YahooEngine.xml
2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/AppCommon
2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/LaunchAgents/com.unionsoftwareonline.AppMonitor.plist

However, it did not identify or offer to remove the directory or binary I noted above.

Using LaunchControl (a GUI for examining your launchd configuration), I identified a User Agent was installed ( /Users/xxx/Library/LaunchAgents/com.appbox.AppBox.plist) with the following parameters:

/Users/xxx/Library/Application Support/AppPolicy/AppBox" -i -c <6 digit number> -isn <string of digits and letters separated by dashes>

I know malware can download and install other components. But I believe Malwarebytes should try to clean them up as well...

Is this a known or possibly new variant/component of Adware.Spigot? I tried searching the Malwarebytes labs Threat Center. But I couldn't even get a hit on "Adware.Spigot" or "Spigot" and that is clearly something it identifies. (Is there a searchable compendium of all threats that Malwarebytes identifies? Sorry, new around here...)

I unloaded the launchd agent and disabled it but held onto the binary for the moment in case it is of use for further analysis.

Link to post
Share on other sites
  • Staff

Those AppBox bits definitely are not components of Spigot that we've seen before, but they do look like they're probably parts of Spigot.

Do you still have copies of the com.appbox.AppBox.plist file and the AppPolicy folder? If so, would you be willing to share them with us?

Probably the best way to share them would be to go to VirusTotal:

https://virustotal.com

Upload the .plist file first, and when the analysis is done, make a note of the URL of the analysis page. Then compress the AppPolicy folder (control-click that folder and choose Compress "AppPolicy" from the menu that appears) and upload the resulting AppPolicy.zip file the same way.

Once you've done that, reply to this post and paste in the URLs of the analysis page on VirusTotal for both of those uploads. I'll be able to download them from there.

Link to post
Share on other sites
  • Staff

Also, do you have any idea what might have been installed on that machine that would have included that? Spigot is known to be included in a number of different popular app installers, such as the FileZilla and uTorrent installers. However, I've looked at those installers recently and didn't see anything new being dropped at that time. I'd love to find out what dropped this new variant.

Link to post
Share on other sites

Thomas, thanks for the response. I did keep the files and willing to share. As someone with Info Sec experience my goal is to help improve any product that can help others. I'm just having a particularly hectic week and will do so as soon as possible.

I too would love to know. I put a lot of effort into keeping my computer applications (as well as my OS) up to date. But that of course doesn't mean that everything I've installed over the years is as reputable (or has remained reputable) as I once thought it was. 

I took the clearly optimistic approach of examining the time stamps of the related files/directories and compared them to the OS software installion log (under System report) in an attempt to identify a particular install. Unfortunately, it was not going to be that easy. However, the fact that the outbound connection was something new leads me to believe it was a fairly recent install or update. So the log does provide some context and I now have a particular suspect. I just want to run a few tests before I point fingers publicly at a potential culprit. For now I'll just say it's a branch of a "free and open" media player that Malwarebytes has blogged about in the past. ;-)

I'll follow up as soon as I can.

Link to post
Share on other sites
  • Staff

Unfortunately, a lot of these adware installers are actually apps that mimic the Apple installer - sometimes even down to the icon. Because they're not actually installers, they don't show up in the installation log.

If you need any assistance analyzing some installers, let me know... I can run them in a safe environment and see what files they drop. :)

Link to post
Share on other sites

Apologies for the delay. 

.plist file:

https://virustotal.com/en/file/a370c47da00b57d60cdc0b9c8e57bc9cda8c76aca9273a08a23c3f57d0eda635/analysis/1481295580/

App Policy folder:

https://virustotal.com/en/file/e535bb183066c7da0013ef0ccc9cd0796410c2f319644aa815d71669d16b8545/analysis/1481295802/

I also ran an analysis of the package installer that I thought could have been involved and it came up clean. Also looked through the installer package files myself. So that lead is dead.

I have a repository of over 500 installers and as I said I update frequently. So unfortunately I see no way of identifying the source. But at least this new code could be identified and included in your removal processes once validated.

Brian

 

Link to post
Share on other sites
  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.