Safari infected by something Malwarebytes Premium does not detect

[Distressed]

Hi - I am running a Mac mini, on MacOS Catalina 10.15.7.  Very stupidly, a few days ago, I opened an email from our pet's vet that should have been suspicious because we hadn't had a recent appointment - it had a pdf attachment - said it was an invoice. I use webmail (Fastmail) - I tried to open the attachment, but couldn't read it in Firefox, my usual browser.  So then I stupidly tried to open it in Safari (which is what I generally do when Firefox won't display or work a page properly, possibly due to my browser settings/addons).  I couldn't read the pdf in Safari, either.  But later I noticed that there were suspicious tabs open in Safari that I had not opened - several for an online dating site; two for some sort of gambling(?) site.  I ran an on-demand scan with Malwarebytes Premium - nothing found.  I think I then closed Safari, re-opened it and cleared all history, closed it and reopened (not 100% sure of the sequence).  It seems okay now.  And I rebooted my Mac.  What else should I do?  Why didn't MalwareBytes find this problem?  Do I have to change all my passwords (that would be nearly impossible) - or just the ones I may have used in the last several days?  Or are they all likely fine?  I have used web email, but since I choose to remain logged in, I haven't entered those credentials.  But I have logged into several shopping sites, etc.

(I will probably consider upgrading to Monterey, at this point - I've been reluctant because of losing the ability to make clone-able backups as a backup strategy.)

Thank you.

By the way, I still have the suspicious email on my computer... if that is useful.

[Distressed]

PS - I read this  https://support.malwarebytes.com/hc/en-us/articles/360046436593 and checked my Mac mini's profiles.

I found a profile (see attached screenshot).  Suspicious because it says "received" with today's date, Oct 6 (although I first opened the suspicious email w/ attachment on Oct 3).  For what it's worth, it says "verified".  I have not used iMovie recently.

I am going to remove it...

 

 

[Distressed]

After doing a bit more reading, I think it's benign.  Probably okay to either remove or leave.  I think I may have I updated iMovie recently (I think I did that in response to a prompt from System Pref's>Software Update), so maybe that's when it was installed, although I'm not sure why it has today's date under "Received".

[alvarnell]

Your screenshot didn't come through, but legitimate profiles are rare and I'm unaware of any related to iMovie, though I may not be running the most recent version, myself. 

[Distressed]

Oops, sorry forgot to attach!  Pls see below.

The reason I'm saying it might be related to iMovie is what I've read here:

https://eclecticlight.co/2021/03/06/you-may-notice-something-odd-with-the-latest-version-of-imovie/

https://forums.macrumors.com/threads/weird-new-profiles-section-in-settings.2287201/

 

I think I am going to try running DetectX Swift, though I've never used it before...

 

[Distressed]

1) I ran DetectX Swift "Search"- no problems found.  This was run AFTER I had already cleared the Safari and Firefox browser caches.  (Safari was the browser that was obviously affected, with unwanted, suspicious tabs opening.) 

Since DetectX Swift found no problems, does that mean I can feel confident I am clean?  Or does anyone here think I need to do anything else?  (I may try running BitDefender, if there's a Mac version.)

2) I'm also curious to know why Malwarebytes Premium did not detect this problem, or prevent it.  It was running at the time the problem occurred. (And RTProtectionDaemon seems to use about 25% of my CPU, so I'd like to think it's doing something!)

3) I also ran the DetectX Swift "Profile" component - some of the things that are in the Launch folders are a little baffling to me...  but not apparently not malware.  I'm not techie enough to know if I ought to try to eliminate some of these things.  But since they are not malware, this is probably not the appropriate place to ask about them --  although I would be interested to know if anyone thinks Zoho Assist, which can allow you unattended remote access to your computer, is a risk. I installed it before a recent trip, and I know that I still have it running, but I believe I have it set to block access - I'm not 100% positive, but the "Profile" report does show file sharing, remote management, remote login, etc, all OFF.

Thanks very much!

[alvarnell]

1) DetectX Swift uses similar method to detect Mac Malware, so not a surprise that it too did not find anything. I would suggest using a legacy scanning utility like Intego's free VirusBarrier Scanner.

2) It's still not clear that what you observed was an actual infection. Most such attachment only attack Windows computers, so there is only a very small chance that anything malicious happened by your actions. Neither Malwarebytes for Mac nor DetectX Swift are able to detect Windows only malware, but the Intego offering I mentioned does find, at least some.

The iMove profile does appear to be legit, although I still can't speak from experience.

The opening of added tabs is not unusual and can easily be done with a script embedded in that supposed pdf or even another web site you visited. Since you mentioned that one was a dating site, I'd just guess that was the sole purpose in spamming you with that attachment.

If you want to investigate the source of that email, I suggest using SpamCop.net to determine the actual source of the message and optionally reporting it to the ISP responsible for the sender's account. You will need to provide all the header information along with the message body source code to do so or it can be sent to them as an attachment.

[Distressed]

Thank you for introducing me to Intego.  I ran it, and nothing was detected. 

If I was, perhaps, never truly infected - if it was a script from the pdf file that opened those browser tabs - then can I skip resetting all the passwords I've used in the several day I opened that pdf file?  Or could the illicit program have learned my passwords?  I have a few passwords I remember (the important ones: Apple, email, Amazon, etc) - I hate to have to reset those.  The rest are BitWarden gibberish, so even tho it's annoying to have to reset them, it's no big deal.  I did do online shopping at a few sites on the day(s) I was "infected" - maybe I should at least change those?  Oh - and maybe I should change my BitWarden Master Password??

I don't think I will send the email to SpamCop - it came from a legitimate email that had been hacked. SpamCop says they only want you to report unsolicited, bulk email.

Thank you again!

[alvarnell]

8 hours ago, Distressed said:

I don't think I will send the email to SpamCop - it came from a legitimate email that had been hacked. SpamCop says they only want you to report unsolicited, bulk email.

As I mentioned, submission is optional. After a short pause, SpamCop shows you what it found and gives you a choice of submission or cancel. The From: address that you see on the message can be easily faked, but the headers will show you where it actually originated from, but if you are already certain of the source, then there is no need to use it this time.

I can't really comment on any need to change any passwords, based on what I know about your situation. Whatever makes you comfortable.

[Distressed]

Ok, thanks very much for your help!

[Distressed]

Hi, again, alvarnell --  I followed your suggestion to scan with Intego's VirusBarrier (nothing found).  Now I am wondering - I left Intego installed, and it is set to do a daily scan.  But I still have MalwareBytes Premium installed, with Real Time Protection turned on, and it also does daily scans (at a different time of day).   Is this okay?  I don't think Intego VirusBarrier (free version) offers real-time protection - am I right?

 

Thank you!

[alvarnell]

Shouldn't be an issue as long as the scheduled scans are either spaced apart by appropriate amount of time or when you never use your computer.

Correct, the free version does not offer real-time/on-access scanning.

[Distressed]

Ok, thank you!