An Adware that modifies the user’s browser Homepage and installs the “Any Search” browser extension to deliver advertisements. In addition it installs a few adware programs too:

  • Advance Mac Cleaner
  • Safe Finder
  • Booking.com

Source: Objetive-See


Source: Objetive-See


The installation file is signed with legitimate Apple Developer ID, so GateKeeper won’t pop any alert on execution. The malware will create a LaunchAgent “~/Library/LaunchAgents/com.Mughthesec.plist” in order to persist on the infected system.Mughthesec pretends to be a FlashPlayer installer. But while installing FlashPlayer, it installs the mentioned above behind the scenes.

Source: Objetive-See


The installed program, Advance Mac Cleaner, might pop windows to try tempting the user to enter his credit card to buy and activate the program in order to clean the computer:

Source: Objetive-See


Links:


Samples:
7c1b90890bdbf25747df702e000296dc28aa0eff