Search Marquis malware easily bypasses built-in Mac defenses

Back in the day, when malware makers capitalized on eroding the PC landscape, the Mac was a godsend for the average security-minded user. Things have changed, though, and so has the status quo in the cybercrime arena. Over the past few years, threats targeting computers with macOS under their hoods have seen a dramatic spike. Here we are now – adware, rogue optimizers, ransomware, and crypto-miners have gone from marginal to commonplace in this once-safe environment. Moreover, some of these culprits are treacherous enough to survive major system security updates as well as the native malware countermeasures for an insanely long time. A prolific browser hijacker called Search Marquis is a prime example of such a threat.

This piece of malicious code shows its sharp fangs by repeatedly redirecting a victim’s web sessions in Safari, Chrome, and Firefox to searchmarquis.com. From there, the traffic wanders through interstitial domains such as searchbaron.com, nearbyme.io, and r.a9g.io until it hits Bing. As odd as it may sound, Microsoft’s search engine has been an element of similar browser manipulation schemes for quite a while. Why? Probably because it works well as a red herring in such chicanery. It smokescreens everything that happens before the victim reaches the landing page, including ad networks that fit the profit model of Search Marquis masters.

Safari keeps going to searchmarquis.com
Safari keeps going to searchmarquis.com

That being said, it’s truly amazing how come this clearly evil app has been duping macOS protection features like the XProtect anti-malware module and austere app notarization controls. This is an open question at this point. The infection typically occurs after a user unwittingly agrees to the terms of an installation client that appears to promote some useful software. If this bundling trick pans out, the intrusive program displays a series of regular-looking dialogs to gain elevated privileges. In particular, it gets full disk access, adds itself to the startup items to run at each login, and creates a configuration profile whose role is to subordinate the victim’s default web browser. As a result, the Mac owner can bid farewell to normal web surfing until they complete a thorough threat removal procedure. Thankfully, effective cleaning methods and tools are available on different security resources. The bitter thing is that Apple’s protection toolkit seems to be worthless in light of large-scale traffic redistribution campaigns like this.

Leave a Reply