A Reluctant Spy Mac OS
How to remove Immediately Call Apple Support from Mac?
What is Immediately Call Apple Support?
'Immediately Call Apple Support' is a fake error message displayed by a malicious exploit. This exploit is hosted on various websites, which are promoted via spam emails that encourage users to visit certain URLs. Following a visit one of these websites, an exploit runs new tasks until the computer freezes. A fake error message is then displayed.
This feature, introduced in Mac OS 10.11 El Capitan, limits access to important files even for the root user. X Research source If you are unable to make the desired changes, you can disable SIP. Only do this if you are confident in your ability and understand that a mistake could wipe your computer or make it nonfunctional: 6 X Research source. The #1 remote Mac spy software, Spytech Realtime-Spy is a cloud-based, high-tech Mac OS X and macOS computer monitoring software solution that logs everything your child or employee does on your Mac. Share Apple Mac Startup and Crash Sounds: Related Boards: Ventrilo Harassment. 11 Tracks 136968 Views. Vegeta's Soundboard. 25 Tracks 146967 Views. Explore the world of Mac. Check out MacBook Pro, MacBook Air, iMac, Mac mini, and more. Visit the Apple site to learn, buy, and get support.
There are two variants of this exploit. The first targets computers running the OS X 10.10 (Yosemite) operating system. This variant continually opens new email message windows via the default Mac mail application. Following the opening of a certain number of active windows, the system runs out of memory and, therefore, freezes. The second targets computers running the OS X 10.11 (El Capitan) and OS X 10.12 (Sierra) operating systems. This variant opens an iTunes application and repeatedly emulates the clicking of an iTune link, thus leading the Mac to a state of Denial of Service, which also results in a system freeze. Once the system has stopped responding, the exploit displays a fake error message stating that the system is infected and that the user's private details (credit card information, email and other account passwords, etc.) are at risk. To remove the infection, victims must supposedly contact 'Apple Customer Support' via a telephone number ('1-800-876-6855') provided. Be aware, however, that this is a scam. There is no such infection . This error is merely an attempt to scare and trick victims into calling and paying for services that are not needed. You should ignore this error message and never open any of these sites again.
Name | Warning Virus Detected! Scam |
Threat Type | Mac malware, Mac virus |
Symptoms | Your Mac became slower than normal, you see unwanted pop-up ads, you get redirected to shady websites. |
Distribution methods | Deceptive pop-up ads, free software installers (bundling), fake flash player installers, torrent file downloads. |
Damage | Internet browsing tracking (potential privacy issues), displaying of unwanted ads, redirects to shady websites, loss of private information. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
'Immediately Call Apple Support' shares similarities with many other fake errors such as Mac Detected TAPSNAKE infection and MAC Malware Warning Alert ! All claim that the system is infected, missing files, or corrupted/damaged in other similar ways, however, as with 'Immediately Call Apple Support', these errors are also attempts to scam victims. You should never trust these viruses.
How did Immediately Call Apple Support install on my computer?
Fake errors are often distributed with adware-type applications that offer various 'useful features'. Cyber criminals proliferate these apps using a deceptive marketing method called 'bundling' - stealth installation of third party software with regular applications. Developers know that users often rush the download/installation processes and skip most steps. Therefore, bundled programs are concealed within the 'Custom/Advanced' settings. By skipping this section, users expose their systems to risk of various infections and compromises their privacy. Fake errors might also be distributed via fake software updates, trojans, spam emails (malicious attachments), and third party software download sources (peer-to-peer networks, freeware download websites, etc.)
How to avoid installation of potentially unwanted applications?
To prevent this situation, be cautious when downloading/installing software. Closely analyze each download/installation step using the 'Custom' or 'Advanced' settings. Furthermore, never accept offers to download/install additional applications and cancel those already included. You should use a legitimate anti-virus/anti-spyware suite and keep your installed applications up-to-date. In addition, never open files received from suspicious emails or download any software from unofficial sources. The key to computer safety is caution.
Exploit displaying a fake error message via the default Mac mail app:
Warning Virus Detected! Immediately Call Apple Support +1-800-876-6855. Your credit card details and banking information.Your e-mail passwords and other account passwords.Your Facebook, Skype, AIM, ICQ and other. Call Apple Support +1-800-876-6855. Your private photos, family photos and other sensitive files.Your webcam could be accessed remotely by stalkers with a VPN virus.
Websites that host 'Immediately Call Apple Support' exploits (never visit these sites):
safari-get(.)com; safari-get(.)net; safari-serverhost(.)com; safari-serverhost(.)net
To close new mail windows opened by the exploit, you can use 'Force Quit Applications' (opened by pressing CTRL+ALT+ESC). Users must close Safari and Mail applications:
Instant automatic Mac malware removal:Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for MacCreate my own family games. By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.
Quick menu:
- STEP 1. Remove Immediately Call Apple Support related files and folders from OSX.
- STEP 2. Remove Immediately Call Apple Support ads from Safari.
- STEP 3. Remove Immediately Call Apple Support adware from Google Chrome.
- STEP 4. Remove Immediately Call Apple Support ads from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Adware removal:
Remove Immediately Call Apple Support-related potentially unwanted applications from your 'Applications' folder:
Click the Finder icon. In the Finder window, select “Applications”. In the applications folder, look for “MPlayerX”,“NicePlayer”, or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Combo Cleaner checks if your computer is infected with malware. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.
Remove warning virus detected! scam related files and folders:
Click the Finder icon, from the menu bar, choose Go, and click Go to Folder..
Check for adware-generated files in the /Library/LaunchAgents folder:
In the Go to Folder.. bar, type: /Library/LaunchAgents
In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plisthttps://softwebdesign.mystrikingly.com/blog/the-hunted-woods-mac-os. ”, etc. Adware commonly installs several files with the same string.
Check for adware-generated files in the /Library/Application Support folder:
In the Go to Folder.. bar, type: /Library/Application Support
In the “Application Support” folder, look for any recently-added suspicious folders. For example, “MplayerX” or “NicePlayer”, and move these folders to the Trash. How to download cod 5 for pc.
Check for adware-generated files in the ~/Library/LaunchAgents folder:
In the Go to Folder bar, type: ~/Library/LaunchAgents
In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.
Check for adware-generated files in the /Library/LaunchDaemons folder:
In the Go to Folder.. bar, type: /Library/LaunchDaemons
In the “LaunchDaemons” folder, look for recently-added suspicious files. For example, “com.aoudad.net-preferences.plist”, “com.myppes.net-preferences.plist”, 'com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”, etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps in the correct order you Mac should be clean of infections. To be sure your system is not infected run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file double click combocleaner.dmg installer, in the opened window drag and drop Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates it's virus definition database and click 'Start Combo Scan' button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays 'no threats found' - this means that you can continue with the removal guide, otherwise it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Warning Virus Detected! Scam homepage and default Internet search engine removal from Internet browsers:
Remove malicious extensions from Safari:
Remove warning virus detected! scam related Safari extensions:Chipcode mac os.
Open Safari browser. From the menu bar, select 'Safari' and click 'Preferences..'.
In the preferences window, select 'Extensions' and look for any recently-installed suspicious extensions. When located, click the 'Uninstall' button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for normal browser operation.
Change your homepage:
In the 'Preferences' window, select the 'General' tab. To set your homepage, type the preferred website URL (for example: www.google.com) in the Homepage field. You can also click the “Set to Current Page” button if you wish to set your homepage to the website you are currently visiting.
Change your default search engine:
In the 'Preferences' window, select the 'Search' tab. Here you will find a drop-down menu labelled 'Search engine:' Simply select your preferred search engine from the drop-down list.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious plug-ins from Mozilla Firefox:
Remove warning virus detected! scam related Mozilla Firefox add-ons:
Open your Mozilla Firefox browser. At the top right corner of the screen, click the 'Open Menu' (three horizontal lines) button. From the opened menu, choose 'Add-ons'.
Choose the 'Extensions' tab and look for any recently-installed suspicious add-ons. When located, click the 'Remove' button next to it/them. Note that you can safely uninstall all extensions from your Mozilla Firefox browser - none are crucial for normal browser operation.
Change your homepage:
To change your homepage, click the 'Open Menu' (three horizontal lines) button and choose 'Preferences' from the drop-down menu. To set your homepage, type the preferred website URL (for example: www.google.com) in the Homepage Page.
Change default search engine:
In the URL address bar, type 'about:config' and click the 'I'll be careful, I promise!' button.
In the 'Search:' field, type the name of the browser hijacker. Right click on each of the found preferences and click 'Reset' from the drop-down menu.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Remove malicious extensions from Google Chrome:
Remove warning virus detected! scam related Google Chrome add-ons:
Open Google Chrome and click the 'Chrome menu' (three horizontal lines) button located in the top-right corner of the browser window. From the drop-down menu, choose 'More Tools' and select 'Extensions'.
In the 'Extensions' window, look for any recently-installed suspicious add-ons. When located, click the 'Trash' button next to it/them. Note that you can safely uninstall all extensions from your Google Chrome browser - none are crucial for normal browser operation.
Change your homepage:
Click the 'Chrome menu' (three horizontal lines) button and choose 'Settings'. In the 'On Startup' section, click the 'Set pages' link near to the 'Open a specific page or set of pages' option. Remove the URL of the browser hijacker (for example trovi.com) and enter your preferred URL (for example, google.com).
Change default search engine:
Click the 'Chrome menu' (three horizontal lines) button and choose 'Settings'. In the 'Search' section, click the 'Manage search engines..' button. In the opened window, remove the unwanted Internet search engine by clicking the 'X' button next to it. Select your preferred Internet search engine from the list and click the 'Make default' button next to it.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Got a pop-up on my father's iPhone stating that there was Spyware on it and a number to call Apple Care for support. The number was 1-888-294-4213 . I stupidly called it and was talking to the guy name is David for a few minutes before call get disconnected and the Guy David Call me back in this number 1-888-572-7957 I realized I only called the number because it I was listed in a pop-up and wasn't really sure if it was really Apple Care. I looked up the number on my other phone and discovered it was a scam. I hung up and cleared my Safari history and cookies.
How can I report this company Opticom Solutions INC is sending the popup alert for all the apple device and charge the $49.99 for clearing the history and cookies. Apple to follow up on it as these alerts are saying they are with Apple? every one report this company for scam
MacSpy is advertised as the 'most sophisticated Mac spyware ever”, with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.
The authors state that they created this malware due to Apple products gaining popularity in the recent years. They also state that during their tenure in the field that they have noticed a lack of 'sophisticated malware for Mac users' and they believe that 'people were in need of such programs on MacOS'. So they created MacSpy. The MacSpy authors claim to have the following features in the free version of their RAT:
If you are willing to pay an unknown amount of bitcoins for the advanced version, the malware authors advertise the following features:
MacSpy is not as polished as some of the malware-as-a-service providers out there, as there doesn’t seem to be any customer facing automated service of signing up for their service. In order to receive a copy of MacSpy we had to email the author our preferred username and password, in order for them to make us an account. After confirming our details they created an account for us, and delivered a zipped file and the following instructions:
Initial Analysis
After unzipping the archive we observed it contained the following files:
The archive contains four files:
- Mach-O 64-bit executable called 'updated'
- Mach-O 64-bit executable called 'webkitproxy'
- Mach-O 64-bit dynamically linked shared library called 'libevent-2.0.5.dylib'
- Config file
After examining webkitproxy and libevent-2.0.5.dylib, we noted they are signed by Tor, and thus we concluded that they are related to the function of Tor Onion routing. The contents of the config file further convince us of our suspicions are correct:
Config Contents
The 'updated' file, on the other hand is not digitally signed, and it is currently completely undetected by various AV companies on VirusTotal.
Anti-Analysis
MacSpy has several countermeasures that hamper analysis efforts. To prevent debugging, it calls ptrace() with the PT_DENY_ATTACH option. This is a common anti-debugger check and will prevent debuggers from attaching to the process.
If you bypass the ptrace countermeasure, MacSpy has additional code that checks if it is running in a debugger.
The code above is very similar to the debugger checking code from this Stack Overflow post.
In addition to the anti-debugging countermeasures, MacSpy contains checks against the execution environment that can make it difficult to run in a virtual machine. In the code below, you can see that MacSpy checks that the number of physical CPUs is greater than 1, the number of logical cores is greater than 3, and the number of logical cores is twice the number of physical cores. MacSpy also checks that there is at least 4 GB of memory on the host. Since malware sandboxes often run with minimal resources, these checks can prevent proper execution in virtual environments.
Similar to MacRansom, MacSpy also compares the machine model to 'Mac' using the 'sysctl' command. MacSpy will kill all Terminal windows which can be annoying to analysts using command line tools to analyze the malware (OSX/Dok exhibits similar behavior by killing Terminal windows).
Persistence
In order to persist on the system the malware creates a launch entry in ~/Library/LaunchAgents/com.apple.webkit.plist. This ensures that the malware will run at start up to continue collecting information.
Behavior Analysis:
Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to '~/Library/.DS_Stores/' and deletes the original files in an attempt to stay hidden from the user. The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.
A Reluctant Spy Mac Os 11
The following curl command used to exfiltrate data:
Contents of ~/Library/.DS_Stores/data/tmp/SystemInfo
User Web Portal
In our initial email to the malware authors we sent a set of credentials that we wanted to use in their web portal. After logging into the MacSpy web portal you are greeted with a very bare bones directory listing containing a folder labeled the most recent date of the malware executing on a system in the YYYYMM format, followed by a folder in the DD format. Diving into that folder you're treated with a series of directories similar to that of the directory naming on the victim system. Inside these folders is the data that was collected from the victim the malware was executed on.
Detection
NIDS
The best way to detect MacSpy running on a Mac is to use a combination of Network IDS (NIDS) rules as it communicates. As it turns out, AlienVault provides this rule in its threat intelligence, which has already been updated with a rule called 'System Compromise, Malware RAT, MacSpy'. This feeds into the USM correlation engine to generate an alarm that will notify AlienVault customers that one of their systems is compromised.
Osquery
Yara
You can use the rule below in any system that supports Yara to detect this Mac-based malware.
Conclusion
People generally assume when they are using Macs they are relatively safe from malware. This has been a generally true statement, but this belief is becoming less and less true by the day, as evidenced by the increasing diversity in mac malware along with this name family. While this piece of Mac malware may not be the most stealthy program, it is feature rich and it goes to show that as OS X continues to grow in market share and we can expect malware authors to invest greater amounts of time in producing malware for this platform.
If you want to find out more about this malware, here is a pulse we have in the AlienVault Open Threat Exchange (OTX):
A Reluctant Spy Mac Os Download
Appendix:
A Reluctant Spy Mac Os X
6c03e4a9bcb9afaedb7451a33c214ae4
c72de549a1e72cfff928e8d2591d7e97
cc07ab42070922b760b6bf9f894d0290
27056cabd185e939195d1aaa2aa1030f
f38977a34b1f6d8592fa17fafdb76c59