If you launch your favourite web browser, perform a search and notice that instead of landing on the results page of Google, DuckDuckGo, or whichever search engine you used, you land on pitchofcase.com, you’ve been hit by malware.

• Clairvoyant Mac App Malware Installer
• Clairvoyant Mac App Malware App
• Free Malware For Mac

That’s the bad news. The good news is that you can get rid of it by following the steps we outline here. Before we get to that, however, let’s have a closer look at pitchofcase.com and find out what it is.

What is Pitchofcase Mac malware?

The Dark Sky app, priced at $3.99, continues to be available, and today Apple released an update for the app. Dark Sky version 6.8.5 features a new extra large watch complication to be used with. While malware on the Mac is rare, it does crop up, as we've demonstrated. Having the right tools to get rid of malware can be an important part of keeping your Mac safe and secure. There are a number of tools that you can choose from, including popular programs like BitDefender and Kaspersky, that will help you keep malware from infecting your Mac. (The Safe Mac also has an excellent website and Twitter feed if you want the latest, up-to-date info on Mac Adware, Malware, and security concerns.) One click in Adware Medic can cure all that.

It’s a form of malware known as a browser hijacker. Once it’s on your Mac, it redirects searches in any browser you launch, no matter which search engine you normally use, and sends them to pitchofcase.com. It then displays adverts so that the creators can make money, and very likely steals data like your IP address, search queries and browsing habits.

How did it get onto my Mac?

Pitchofcase uses a technique called bundling. That means when you download what looks like a perfectly legitimate app, you also download the malware. And when you agree to install the other app, Pitchofcase installs too.

To avoid downloading this, or any other malware, it’s best to stay clear of download sites that use their own download managers, because that’s how the malware is bundled. It’s also best to avoid known sources of malware, such as MPlayer X and Nice Player. There are plenty of other excellent media players available for macOS, like VLC. And never click on a link from a website when it tells you that software on your Mac, like Flash Player, is out of date — that’s almost guaranteed to lead to you downloading malware.

How to remove pitchofcase.com malware

1. Go to your Applications folder and look for the last app you downloaded before you noticed the browser hijacker. It will probably be Nice Player or MPlayer X.
2. When you find it, drag it to the Trash and empty it.
3. Go to the Go menu in the Finder and choose Go to Folder then go to each of the locations listed below and look for files related to Nice Player or MPlayer X

~/Library/Application Support
~/Library/Application Support
~/Library/LaunchAgents
~/Library/LaunchDaemons

Tip: Some apps like, CleanMyMac X recognize the Pitchofcase malware. If you want to quickly eliminate this nasty virus, download CleanMyMac X for free here.
After you run CleanMyMac X, click the Malware Removal tab

Erasing Pitchofcase from Launch Agents

Pitchofcase is known to infiltrate the so-called Launch Agents that manage items working in the background. To be doubly sure you’ve cleaned it, check the Launch Agents tool in the same app, CleanMyMac X.
By the way, I use it regularly to scan my Mac and make sure there is no nasty adware, spyware or any other malware on it. And I’m not the only one, here’s what Cult of Mac said about CleanMyMac recently: ‘CleanMyMac X offers all the tools you need to ensure your machine is always speedy and safe.’

Once you’ve removed all traces of the apps you downloaded, you need to reset the browser settings that pitchofcase.com changed

How to remove pitchofcase from Safari

1. Launch Safari, and choose Preferences from the Safari menu
2. Click on the Extensions tab
3. Locate any recently installed extensions, or any you didn’t deliberately install
4. Select them and press Uninstall
5. Click on the General tab and type or paste your preferred Homepage into the box
6. Select the search tab and set the search engine to your preference

To remove pitchofcase.com malware from Chrome, do the following

1. Paste chrome://extensions into the address bar
2. Look for any extensions you didn’t deliberately install, if you find one, select it and press Remove
3. Go to chrome://settings/startup and change the homepage to your preference
4. Paste chrome://settings/searchengines and click the ‘More Actions’ button next to your preferred search engine, then choose ‘Make Default’
5. Click the ‘More Actions’ button next to pitchofcase.com and choose ‘Remove from List’

Here’s how to remove pitchofcase.com from Firefox

1. Launch Firefox and click on the three lines icon on the right of the address bar
2. Choose Add-ons and then Extensions
3. Look for any extensions that you didn’t deliberately install
4. Click on “Remove” next to them
5. Press on the three lines again and choose Options
6. Set the homepage and default search engine to your preference

As you can see, while removing pitchofcase.com manually isn’t difficult, it does involve quite a few steps. That’s why I prefer to use CleanMyMac X to help with getting rid of malware and junk files. I also use it to remove Chrome Extensions.

Malware

We found an EXE application that specifically runs on Mac to download an adware and info stealer, sidestepping built-in protection systems on the platform such as Gatekeeper.

Clairvoyant Mac App Malware Installer

Update as of 6:00 P.M. PST, May 3, 2019: Our continued observation of the malware sample showed that it spoofs popular Mac apps, instead of being included in the app installers themselves as previously reported. We made the corrections in the technical analysis in this post. We would also like to thank Objective Development for clarifying this issue.

Update as of 5:00 P.M. PST, February 18, 2019: Further analysis on the sample indicated that it does not bypass the Gatekeeper mechanism as previously reported. We made the necessary changes in the technical analysis in this post. We would also like to thank Apple Product Security team for reaching out to us to clarify this issue.

EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification.

However, we found EXE files in the wild delivering malicious payload on macOS recently. While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States.

Behavior

The samples pose as installers of popular apps and are often available for download from various torrent websites. Examples of the applications they pose as are as follows:

• Paragon_NTFS_for_Mac_OS_Sierra_Fully_Activated.zip
• Wondershare_Filmora_924_Patched_Mac_OSX_X.zip
• LennarDigital_Sylenth1_VSTi_AU_v3_203_MAC_OSX.zip
• Sylenth1_v331_Purple_Skin__Sound_Radix_32Lives_v109.zip
• TORRENTINSTANT.COM+-+Traktor_Pro_2_for_MAC_v321.zip
• Little_Snitch_583_MAC_OS_X.zip

When the downloaded .ZIP file is extracted, it contains a .DMG file hosting the supposed installer of the spoofed app.

Figure 1. Sample of the malicious file

Clairvoyant Mac App Malware App

Figure 2. Installer contained in the .DMG sample we analyzed posing as a legitimate application

Inspecting the installer contents, we found the unusual presence of the .EXE file bundled inside the app, verified to be a Windows executable responsible for the malicious payload.

Figure 3. Suspicious .EXE bundled for Mac app installer

When the installer is executed, the main file also launched the executable as it is enabled by the mono framework included in the bundle. This framework allows the execution of Microsoft .NET applications across platforms such as OSX.

Free Malware For Mac

Once run, the malware collects the following system information:

• ModelName
• ModelIdentifier
• ProcessorSpeed
• ProcessorDetails
• NumberofProcessors
• NumberofCores
• Memory
• BootROMVersion
• SMCVersion
• SerialNumber
• UUID

Under the /Application directory, the malware also scans for all the basic and installed apps and sends all the information to the C&C server:

• App Store.app
• Automator.app
• Calculator.app
• Calendar.app
• Chess.app
• Contacts.app
• DVD Player.app
• Dashboard.app
• FaceTime.app
• Font Book.app
• Image Capture.app
• iTunes.app
• Launchpad.app
• Mail.app
• Maps.app
• Messages.app
• Mission Control.app
• Notes.app
• Photo Booth.app
• Photos.app
• Preview.app
• QuickTime Player.app
• Reminders.app
• Safari.app
• Siri.app
• Stickies.app
• System Preferences.app
• TextEdit.app
• Time Machine.app
• UtilitiesiBooks.app

It downloads the following files from the Internet and saves it to the directory ~/Library/X2441139MAC/Temp/:

• hxxp://install.osxappdownload.com/download/mcwnet
• hxxp://reiteration-a.akamaihd.net/INSREZBHAZUIKGLAASDZFAHUYDWNBYTRWMFSOGZQNJYCAP/FlashPlayer.dmg
• hxxp://cdn.macapproduct.com/installer/macsearch.dmg

Figure 4. Downloaded files saved in the directory

These .DMG files are mounted and executed as soon as they are ready, as well as displaying a PUA during execution.

Figure 5. One of the adwares downloaded posing as a popular app

This malware runs specifically to target Mac users. Attempting to run the sample in Windows displays an error notification.

Figure 6. Error notification when installer is executed in Windows

Currently, running EXE on other platforms would have no impact on non-Windows systems such as MacOS. A mono framework installed in the system is required to compile or load these executables and libraries. In this case, however, the bundling of the said framework with the malicious files becomes a workaround to enable EXE files to run on Mac systems. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts. Overall, this technique may be done to overcome a malicious user’s Objective-c coding limitations.

Conclusion/how-to-open-new-window-with-app-on-mac.html.

We suspect that this specific malware can be used for future inter-platform attacks, where a single executable can perform its payload on different operating systems. We believe that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites. We will continue investigating how cybercriminals can use this information and routine. Users should avoid or refrain from downloading files, programs, and software from unverified sources and websites, and install a multi-layered protection for their individual and enterprise systems.

Trend Micro Solutions

The following Trend Micro products detect and block this threat:

Trend Micro Antivirus for Mac
Trend Micro Smart Protection Suites

Indicators of Compromise