Among its improvements are the facts that it includes an anti-VM detection system that includes a MAC-address, and that it includes a valid Apple developer certificate, which allows it to slip unnoticed past Apple’s GateKeeper system. This second improvement is of special significance, because very few malware strains boast a valid certificate, making Mughthesec unique among its peers.
This updated version is finding its way onto machines disguised as an Adobe Flash Player installation file. The user gets a legitimate copy of Flash, but in the background, the malware also installs an app called Advanced Mac Cleaner, along with two extensions for the Safari web browser called “Safe Finder” and “Booking.com.”
According to Patrick Wardle, the Director of Research at Synack, while it’s easy enough to remove the rogue browser extensions and unwanted apps via conventional means, the new Mughthesec code contains hooks that will simply allow the hackers to reinstall those apps, or any other program that the hackers feel like inflicting on a user.
If you find Mughthesec on your machine, or if you get rid of malware only to find that it comes back almost immediately, Wardle’s recommendation is to reinstall your OS. That may sound like a draconian move, and it’s an annoying and painful process, but sadly, it’s the only way to be sure that the hooks the malware embeds in the operating system are completely removed.
The fear is that unless you take this step, your machine is simply going to keep getting peppered with malware, and perhaps something worse if the hackers decide to launch a genuinely destructive attack.