Shulou(Shulou.com)05/31 Report--

This article will explain in detail what SearchPageInstaller is. Xiaobian thinks it is quite practical, so share it with you for reference. I hope you can gain something after reading this article.

SearchPageInstaller (SPI) is a malicious adware that has been active since 2017, but in the latest samples detected by the researchers, we found that it began to use mitmproxy, and this version is several months ago:

This malware uses a novel method to make money from advertising, ordinary malware mainly uses the way to redirect browser pages, but SPI injects malicious ads at the top of the HTML code of the user's search results page. First, the attacker needs to enable HTTP and HTTPS proxies on the infected host, as evidenced by the proxy tab configuration in the network administration panel in system settings:

Then in the command line interface by the command system_profiler SPNetworkDataType| grep 'Proxy Enabled' to enable configuration:

After auditing the SearchPageInstaller infected Web page code, we can see the malicious code injected by SPI, where it replaces all other ads:

The script source is chaumonttechnology.com, and VirusTotal's two detection engines have marked the host as malicious:

man in the middle attacks

Regarding Web proxies, SPI uses mitmproxy (an open source HTTPS proxy tool) and the script inject.py to inject malicious script code into the code of Web pages:

This is because mitmproxy is able to work as a "middleman" between client and server, and then create forged certificates to make the client think it is the server and the server think it is the client. SPI code automatically installs mitmproxy CA certificates when users accidentally enter an administrative password. Here are the attack scenarios we detected on macOS 10.14 Mojave:

After authorization, mitmproxy CA certificates and other required certificates can be captured by man-in-the-middle attacks and written to the hidden ~/mitmproxy directory:

malware detection

As we have seen, after SearchPageInstaller starts, it first attempts to gain permission to install new certificates. Next, it tries to modify the network proxy settings on the target host, which requires administrator privileges, so it pops up another authentication request window:

Below is the implementation of the entire attack, we can see each process created by the malware and the corresponding generation event:

The enlarged view on the right panel shows the currently selected event, for example, mitmdump code execution [20], a command-line tool provided by mitmproxy.

Mitmdump tools can view, log, and send HTTP traffic. We can see that the process calls the inject.py script and supplies it with parameters. These commands allow mitmproxy to ignore specific domain names that match regular expressions when connecting over HTTPS, thus bypassing specific traffic that is protected by certificate binding.

Next, the Mitmdump process spawns a shell process [23] and calls the uname tool [21] to get the target device's architectural information.

The network traffic for each process is given below:

In this way, once the attacker has obtained the basic configuration of the target device, he can restore the target device to the previous configuration after the infection is completed or the attack is over.

About "SearchPageInstaller is what" this article is shared here, I hope the above content can be of some help to everyone, so that you can learn more knowledge, if you think the article is good, please share it to let more people see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.