| ID | X0007 |
| Aliases | None |
| Platforms | OS X |
| Year | 2015 |
| Associated ATT&CK Software | None |
Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user. When the program is executed, it creates the following files:
- /Application/Genieo.app
- /Applications/Uninstall Genieo.app
- ~/Library/Application Support/com.genieoinnovation.Installer/Completer.app
- ~/Library/LaunchAgents/com.genieo.completer.download.plist
- ~/Library/LaunchAgents/com.genieo.completer.update.plist
- ~/Library/Safari/Extensions/Omnibar.safariextz
- ~/Library/Application Support/Genieo/
- /tmp/GenieoInstall.dmg
- /tmp/tmpinstallmc.dmg
Next, the program changes the default search engine and homepage to the domain search.genieo.com.
The program then installs the browser extension ~/Library/Safari/Extensions/Omnibar.safariextz.
When the user inputs a search query it will appear to be carried out using Google Search but the results will be from genieo.com.
| Name | Use |
|---|---|
| Persistence::Browser Extensions (T1176) | Geneio installs Safari Extensions that are adware [1] |
| Name | Use |
|---|---|
| Execution::Install Additional Program (B0023) | Geneio installs the browser extension ~/Library/Safari/Extensions/Omnibar.safariextz. It also creates the app files listed in the description above. [1] |
SHA256 Hashes
- 56b1d33fde65ab520a6c8afe9b3f304c50b581d3e46a9baa56fb9694d4d7effc
[1] https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/
[2] https://macpaw.com/how-to/remove-genieo-malware-mac
[3] https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99