New Mac backdoor malware: Eleanor

PUP Friday: MPlayerX

MPlayerX began to be associated with malware about two years ago, or possibly even longer. Back in 2014, an emerging piece of adware that soon crossed the line to malicious behavior, called VSearch, was frequently associated with MPlayerX installers. At the time, many people assumed that MPlayerX was being used in the same manner that Adobe Flash Player often is – innocent software used to trick people into running a shady installer.

MPlayerX began to be so synonymous with the VSearch adware that Google searches for “MPlayerX” began to show prominently-featured hits for “MPlayerX removal.” Worse, it eventually became apparent that MPlayerX was not simply an innocent victim.

In early 2015, MPlayerX wasn’t being distributed with VSearch anymore. Unfortunately, this didn’t turn out to be good news, as it was soon discovered that the official MPlayerX installer, downloaded directly from the MPlayerX website, had started to include the IronCore adware.

MPlayerX IronCore installer

The bad behavior didn’t stop there, however. The official MPlayerX installer began to attempt to defy analysis!

Malware will frequently exhibit analysis avoidance behavior. This means that if it feels that it is being analyzed by a security researcher or automated security software, it will act innocent, showing none of its malicious behaviors. Thus, if a researcher or tool is not aware that the program is malicious, it avoids sending up any red flags that would trigger a more thorough analysis.

The most common method of analysis avoidance that malware uses is to detect whether it is running within a virtual machine – in other words, a full system running entirely within a piece of software. For example, a researcher may install Mac OS X within a virtual machine run by a program like Parallels, VMWare, or VirtualBox. Using a virtual machine is a good way to keep the malware isolated from a real system, so that the infection is easier to contain.

The MPlayerX installer, it turned out, was doing exactly that. When run in a virtual machine, it installed nothing but MPlayerX. When opened on a “real” system, however, it would install the IronCore adware, as well as (at that time) the junk apps MacKeeper and ZipCloud.

Recently, we decided to re-evaluate MPlayerX for possible detection as a PUP (potentially unwanted program). Sure enough, although the installer had been updated, it still exhibited the same analysis avoidance behavior, this time installing IronCore, MacKeeper, and MegaBackup.

The following video shows the MPlayerX installer being downloaded from the official MPlayerX site and being installed twice. The first time, it is installed in a Parallels Virtual Machine running Mac OS X 10.11 (El Capitan), and it installs nothing but MPlayerX. (Or, more accurately, installs an MPlayerX installer that you still have to run to install MPlayerX…)

The second time shows the same process, in the same virtual machine – with some modifications to the virtual machine to defeat the technique MPlayerX uses to detect it. Thus, MPlayerX can’t detect that it’s running in a virtual machine, and thinks it’s on a real system, in the second case, at which time it dumps its nasty payload of crap.

The bundling of MPlayerX into an adware installer, alongside adware and other PUPs, is reason enough to consider it to be a PUP according to our PUP criteria. The addition of malware-like analysis avoidance behavior makes the decision to call MPlayerX a PUP a no-brainer.

Further, because we feel that this malware-like behavior shows that the developer of MPlayerX is not trustworthy, we detect the Mac App Store version of MPlayerX to be a PUP as well. Malwarebytes Anti-Malware for Mac detects any version of MPlayerX as PUP.MPlayerX.

Update (2019-09-18): Although we still don’t recommend trusting software from anyone who would use an installer like the one described above, we no longer detect MPlayerX itself. We do, however, still block the launch of the MPlayerX installer via our App Block feature… because it still behaves as described, and you really don’t want to be running that. If you feel that you must use MPlayerX, instead of other alternatives (like VLC), get it from the App Store instead.

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.