| ID | X0017 |
| Type | Adware |
| Aliases | None |
| Platforms | Mac OSX |
| Year | 2018 |
| Associated ATT&CK Software | None |
SearchAwesome adware intercepts encrypted web traffic to inject ads.
| Name | Use |
|---|---|
| Defense Evasion::Subvert Trust Controls (T1553) | The malware uses certificates to gain access to HTTPS traffic. [1] |
| Collection::Browser Session Hijacking (T1185) | The malware can modify web traffic for the purpose of injecting Javascript. [1] |
| Command and Control::Proxy (T1090) | The malware uses mitmproxy to intercept and modify web traffic. [1] |
| Collection::Adversary-in-the-Middle (T1557) | After installing a certificate, the malware inserts inself into a chain of custody, typically within network packets. [1] |
| Name | Use |
|---|---|
| Execution::User Execution (E1204) | The user opens a disk image file which invisibly installs its components. [1] |
| Defense Evasion::Self Deletion (F0007) | The malware will monitor if a specific file gets deleted and then will delete itself. [1] |
| Privilege Escalation::Install Certificate (F0016) | The malware installs a certificate. [1] |
| Execution::Command and Scripting Interpreter (E1059) | The malware installs a script to inject a JavaScript script and modify web traffic. [1] |
| Name | Use |
|---|---|
| Command and Control::C2 Communication::Receive Data (B0030.002) | The malware receives data from the C2 server. [1] |
| Impact::Manipulate Network Traffic (B0019) | SearchAwesome intercepts encrypted web traffic to inject ads. [1] |
| Execution::Install Additional Program (B0023) | The malware installs an open-source program called mitmproxy. [1] |
- /Applications/spi.app
- ~/Library/LaunchAgents/spid-uninstall.plist
- ~/Library/LaunchAgents/spid.plist
- ~/Library/SPI/
- ~/.mitmproxy/
Attack flow for SearchAwesome based on [1].
[1] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection