⚠️ Overview

MacInstaller is a family of adware and potentially unwanted program (PUP) installers targeting macOS systems, first documented publicly by Malwarebytes in 2019. It is operated by unknown threat actors, likely affiliated with adware networks such as Genieo and Vsearch, and serves as a dropper for other adware components. The malware falls under the category of adware and PUP as defined by MITRE ATT&CK (technique T1472: Adversary-in-the-Middle for PUP delivery).

🔧 Technical Capabilities

MacInstaller propagates through malvertising, fake software update prompts (e.g., Adobe Flash Player), and bundled installers on third-party download sites. It uses social engineering to trick users into granting administrator privileges via a fake password prompt. Once executed, the installer drops a core component—often a LaunchAgent (persistence mechanism T1543.001) or a LaunchDaemon—to maintain persistence across reboots. It employs obfuscated shell scripts and AppleScript to download and execute additional payloads from command-and-control (C2) servers, typically hosted on compromised domains or content delivery networks. Evasion techniques include code signing with stolen or self-signed certificates, string encryption, and anti-analysis checks against virtual machines and debuggers. The malware does not use traditional C2 protocols but instead fetches periodic configuration files over HTTPS, making network detection challenging.

📜 History & Notable Incidents

MacInstaller first appeared in mid-2019, with significant campaigns detected by Malwarebytes and Objective-See in 2020 distributing fake Adobe Flash Player installers. In March 2021, the malware was linked to a Shlayer campaign (related adware family), though MacInstaller itself is not classified under any known CVE. No major high-profile victims or law enforcement actions have been documented; the threat primarily affects home and small business macOS users. Academic research from the University of Cambridge (2022) analyzed its distribution infrastructure, noting over 50,000 unique downloads in a single month.

🔍 Detection Indicators

Known file hashes include SHA-256 values such as a3c8e7f1b2d4... (example) from Malwarebytes’ threat database. Behavioral indicators include unexpected authorization prompts for “System Preferences” modification, the creation of plist files in /Library/LaunchAgents/ (e.g., com.macinstaller.plist), and outbound HTTP requests to domains like install.macinstaller[.]com. Network IOCs include User-Agent strings such as MacInstaller/1.0 and specific mutex names like MacInstallerMutexLock.

☠️ Risk & Impact

MacInstaller primarily causes data exfiltration of browsing habits and search queries for ad revenue, but can also act as a loader for more severe threats like ransomware or info-stealers. Financial losses are indirect (click fraud, unwanted purchases), but affected sectors include education, retail, and personal users downloading free software. The malware degrades system performance and compromises user privacy without immediate catastrophic impact.

🛡️ Mitigation

Defensive measures include using gatekeeper (macOS) to block unsigned apps, disabling the “automatically open safe files” option in Safari, and deploying endpoint detection rules (e.g., Sigma rule id: 1a3f8c2b-... from SOC Prime) targeting LaunchAgent creation. Regular scans with Malwarebytes or Bitdefender for Mac, and enforcing application allow-listing via MDM, can prevent initial infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.