PremierOpinion Spyware Analysis

Distribution

PremierOpinion is being distributed by various distribution players and download sites. When installed, it is usually bundled with an additional software offer. For this analysis, I will be showcasing one example, in which PremierOpinion is being offered to end-users as an additional offer to a product software called “BitLord”, by BitTorrent.

As demonstrated below, the installation process is designed to have PermierOpinion installed, supposedly being part of the Bitlord application.

Malware Analysis Course

While users do have the option of declining the offering to install PremierOpinion, it’s not the default choice (i.e. to opt out):

Malware Analysis Course

The PremierOpinion app, supposedly an app that presents polls to the users is being installed to the path of  /Applications/PremierOpinion/PremierOpinion.app

The application has a valid and signed developer ID, by VoiceFive Networks.

Malware Analysis Course

PremierOpinion also installs two (2) persistent processes to the system’s agents:

    1. A Launch Agent to: /Library/LaunchAgents/ which runs a background process called PremierOpinionAgent. The agent is set to run at boot and relaunch itself in case it is killed.
    2. A launch daemon to: /Library/LaunchDaemons/

Malware Analysis Course

The Daemon is launching an on-demand job using another plist, which runs a hidden bash script from /Applications/PremierOpinion/.PremierOpinionrn.sh

Malware Analysis Course

The bash checks whether the accessibility permissions are enabled, by checking the AccessibilityAPIEnabled file. When permissions are disabled, the bash attempts to enable them by modifying the file. This practice only works with older versions of macOS.

Then the script executes the final Daemon process, correlating with an app called PremierOpinionD. The app is a sub-app of PremierOpinion.app and resides in PremierOpinion.app/Resources.

PremierOpinionD is the process that runs the actual proxy. A quick look at the code reveals that it is based on a project called CSProxy. It is configured to listen to incoming connections on ports 8888, 8443, and 8254.

Malware Analysis Course

The process then changes the local HTTPS proxy settings by loading the SystemConfiguration library and calling the following system APIs:

The proxy settings are being set to localhost:8888, as can be viewed from the MacOS Network configuration panel:

Malware Analysis Course

I can see that from that point on, traffic from the browser is being routed to that location:

Malware Analysis Course

What happens inside the proxy? Well, first, I can see that the proxy Terminates, decrypts, and inspects all TLS traffic. This is accomplished by installing a system trusted certificate, done by PremierOpinionD using the Security APIs.

Malware Analysis Course

The self-signed certificate is issued to VoiceFive Networks Inc. It is installed as a trusted system root certificate. The proxy issues a derived certificate for the sites that the user browses, which are now trusted by the browser. This allows the proxy to decrypt browsing requests.

Then, the proxy creates connections to the actual browsed websites, on the user’s behalf. The result is flawless, and only observant users can notice that the certificate for visa.com, as an example, shouldn’t be issued by VoiceFive:

Malware Analysis Course

To stop this, based on a test I ran on a few machines, I found that PremierOpinion installs the same certificate on all machines. Since the private key can easily be recovered from PremierOpinion, this allows third-party eavesdroppers to intercept and decrypt TLS secure communications without triggering browser warnings.

This can be done by creating a specially crafted phishing site, for example, or by hijacking a user’s traffic and placing another MITM proxy that replaces that certificate. This is a design flaw, similar to the design flaw seen with the infamous Superfish incident. Other apps that use a local proxy, such as the web debugger fiddler, for example, generate a unique certificate separately on each machine. This mitigates the risk of having the private key leaked to that specific machine. Needless to add that explicit user consent is required in all cases.

User data exfiltration

The PremierOpinionD process is constantly pinging its C&C (*.securestudies.com), sending data that has been collected about the user and the machine, in clear text HTTP requests. I captured information which includes the list of open applications, characteristics of mouse clicks, and machine information.

I find these highly concerning, as I couldn’t find any actual usage of the proxy for the purpose claimed by PermierOpinion. However, I did find encrypted TLS traffic to the same domain coming from PremierOpinionD.

To find out what was being sent, I decided to give the spyware a taste of its own medicine. I ran another MITM proxy (using mitmproxy project) and set it up to run in transparent mode. Using the built-in pf command in macOS, I chained them together by redirecting all traffic coming in from PremierOpinionD’s proxy to our own. Finally, I generated our certificate (using OpenSSL) and installed it into the keychain as a system certificate in ‘always trust’ mode.

Malware Analysis Course

Now, I got to see the contents of the traffic PremierOpinion is sending to its server. I notice the amount of traffic is changing in parallel to the user’s activities, especially when web browsing.

Malware Analysis Course

PremierOpinion was logging every website the user was navigating to, along with the application that was used (PID), user-agent, certificate (in this case it shows our fake one, but in general it’ll be the remote site’s), and more.

Malware Analysis Course

And on a different flow, a list of all currently open applications:

Malware Analysis Course

Final Thoughts

PremierOpinion Spyware has been around for quite some time now, under different names and guises. I was able to find evidence of its activity dating as early as 2007, both on Mac and Windows.

With macOS, the MITM practice is fairly new. I found evidence of this attack dating as far as a year ago. It managed to successfully go under the radar for this entire time, especially because the MITM proxy was only used to collect data, rather than modify it.

With PremierOpinion the user is unaware of either its traffic-hijacking or the fact that the same certificate is installed on countless machines, compromising privacy and security. Consequently, PremierOpinion also renders the machine vulnerable to additional remote attacks, such as phishing or eavesdropping.

PremierOpinion is quite a popular spyware and is actively being spread among the masses, these days. This makes PremierOpinion a serious threat both to user privacy and security.