Adware.MacOS.GEONEI.LR

September 05, 2019

Analysis by: Arvin Roi Macaraeg

ALIASES:

HEUR:AdWare.OSX.Geonei.ab(Kasperksy); OSX.Trojan.Gen(Norton Symantec)

PLATFORM:

MacOS

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be unknowingly downloaded by a user while visiting malicious websites.

However, as of this writing, the said sites are inaccessible.

TECHNICAL DETAILS

File Size: 669,696 bytes

File Type: DMG

Memory Resident: No

Initial Samples Received Date: 26 Feb 2018

Arrival Details

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Other Details

This Adware connects to the following possibly malicious URL:

http://ikjhtr.{BLOCKED}i.pw

It does the following:

The sample arrives as an DMG file.
The DMG file is mounted on the following file path:
- /Volumes/PlayerInstaller/Click Here To Install.app
The app bundle contains the following files:
- Click Here To Install.app\Contents\MacOS\Installer

However, as of this writing, the said sites are inaccessible.

SOLUTION

Minimum Scan Engine: 9.850

SSAPI PATTERN File: 2.211.00

SSAPI PATTERN Date: 05 Sep 2019

Scan your computer with your Trend Micro product to delete files detected as Adware.MacOS.GEONEI.LR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

NOTES:
Cleanup Instructions