MacOS - Malware in Safari Cache!

I was browsing some finance websites when I got a warning from my third-party anti-virus (not XProtect) that a ‘trojan.gen.npe’ had been detected and quarantined. I checked the activity logs and could see this had also happened 3 other times over the previous few days.

 

I was able to pin-point the webpage from the time stamps and put the URL through VirusTotal. I was hoping it was a false positive but unfortunately 42 vendor analysis showed it to be malicious and have malware. 

 

Looks to be a drive-by-attack with malicious JavaScript being injected.

 

VirusTotal detected from URL:

 

GT.JS.Injection.2.1bd84588

JS/Agent.PHC

javascript.malware.injection

Trojan.JS.SubberWorm

Trojan.Malscript

HEUR.Trojan.Script.Generic

 

Unfortunately, I deleted the malicious files so could not upload them to VirusTotal.

 

The trojan was detected in Safari’s cache, I didn’t download anything or click on any ad’s, so it was malicious code within the webpage cached by Safari.

 

My questions are:

 

-      Macbook is running MacOS Sonoma and is updated with the latest version. How is it susceptible to a drive-by-attack? Apple have patched Safari in previous OS releases to prevent this?


-      Is Safari sandboxed? Can the trojan effect anything outside of Safari’s cache folder or is it containerised.


-      How is the malicious code triggered, can it run outside of Safari?


-      Why didn’t XProtect pick this up? Is it because it was just in the Safari cache and didn’t see it as a threat?

 

 

Any thoughts welcomed, thanks.


MacBook Air (M2, 2022)

Posted on Dec 6, 2023 8:21 AM

Reply
Question marked as Best reply

Posted on Dec 6, 2023 10:12 AM

MacKats wrote:

Macbook is running MacOS Sonoma and is updated with the latest version. How is it susceptible to a drive-by-attack?

It isn't. Don't believe what you read on the internet. And especially don't believe what antivirus apps or VirusTotal tells you.

Apple have patched Safari in previous OS releases to prevent this?

Security in a web browser is a much different thing than with other apps or with the operating system. Safari is, by all accounts, the safest web browser.

Is Safari sandboxed?

Yes. In multiple ways.

Can the trojan effect anything outside of Safari’s cache folder or is it containerised.

First of all, it probably isn't anything malicious to begin with. Antivirus apps are notorious for being wrong. Even if it is actually malware, it can't hurt anything.


If you noticed, it didn't actually tell you which websites were involved or what the Javascript actually was. Otherwise, you would be able to investigate, compare notes with others, and discover that it is totally harmless.

How is the malicious code triggered

It isn't malicious and it doesn't ever get triggered.

can it run outside of Safari?

Can it run inside Safari?


That's one of the inherent difficulties in web browsers. They run software from the internet. That's fundamentally what they do. If that concerns you, then you probably shouldn't be using a web browser. Apple goes to great lengths to ensure that no Javascript running inside Safari can do any damage. But for 3rd party web browsers, you're on your own.

Why didn’t XProtect pick this up?

XProtect is only triggered when you try to launch an app. It is a separate system from Safari.

Is it because it was just in the Safari cache and didn’t see it as a threat?

It isn't a threat.

5 replies
Question marked as Best reply

Dec 6, 2023 10:12 AM in response to MacKats

MacKats wrote:

Macbook is running MacOS Sonoma and is updated with the latest version. How is it susceptible to a drive-by-attack?

It isn't. Don't believe what you read on the internet. And especially don't believe what antivirus apps or VirusTotal tells you.

Apple have patched Safari in previous OS releases to prevent this?

Security in a web browser is a much different thing than with other apps or with the operating system. Safari is, by all accounts, the safest web browser.

Is Safari sandboxed?

Yes. In multiple ways.

Can the trojan effect anything outside of Safari’s cache folder or is it containerised.

First of all, it probably isn't anything malicious to begin with. Antivirus apps are notorious for being wrong. Even if it is actually malware, it can't hurt anything.


If you noticed, it didn't actually tell you which websites were involved or what the Javascript actually was. Otherwise, you would be able to investigate, compare notes with others, and discover that it is totally harmless.

How is the malicious code triggered

It isn't malicious and it doesn't ever get triggered.

can it run outside of Safari?

Can it run inside Safari?


That's one of the inherent difficulties in web browsers. They run software from the internet. That's fundamentally what they do. If that concerns you, then you probably shouldn't be using a web browser. Apple goes to great lengths to ensure that no Javascript running inside Safari can do any damage. But for 3rd party web browsers, you're on your own.

Why didn’t XProtect pick this up?

XProtect is only triggered when you try to launch an app. It is a separate system from Safari.

Is it because it was just in the Safari cache and didn’t see it as a threat?

It isn't a threat.

Dec 6, 2023 10:42 AM in response to Mac Jim ID

If you did search the community pages here, you would find that the AntiVirus software is the problem. They will monetize their efforts by scaring you. You have nothing to worry about as far as infecting your system by visiting websites. Your best option for protecting yourself is the ability to recognize the many phishing attempts that you will come across on the internet, mail, and messages. There is no AntiVirus software that will help you, that is something you would need to learn on your own.

Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support

Dec 6, 2023 9:11 AM in response to MacKats

Many websites contain Javascript code that will pop up those fake technical support notification and the famous Flash Player Update notification. This is Malware on the website, but does not affect your system. The websites typically get paid for these to pop up when you visit them, so it does not always mean their is an active virus on the site, just that it contains javascript code to pop up these fake alerts.


Safari is sandboxed and more importantly, your system is locked in a read only volume on your hard drive and there is no way to change your system files or install a virus. The typical Malware we see are when a user falls for a fake notification when browsing and calls a fake technical support number and give them their Apple ID credentials, or clicks the Update Flash Player button, or allows Notification from websites that will display fake notification that your system has been compromised.


XProtect did not pick up what you saw because there is no harm to your system and there is no antivirus program that will stop you from calling a fake number and giving them your credentials. Third Party A/V will always try to make themselves relevant by claiming they protected you from a bad virus. This is their sole revenue source and a lot of them can be considered Malware as well, since they give you a fake alert to scare you into installing more software or continuing a subscription that they provide to protect you.


There is no concern for a drive-by attack just by visiting a website. With that said, if you do actively click a link on a site, you can download software that plagues you with fake notifications of a virus or redirect your search results. These are easily removed and can always be prevented by practicing safe browsing behavior, which I'm sure you do.


My recommendation is to never use third party Anti-Virus, Cleaner apps, or apps that claim to speed up your system. In addition practice safe browsing behavior by not falling for notifications that attempt to scare you such as a message saying you have a virus. Never click the Update Flash Player notification. Never trust links in emails or messages as they can be easily spoofed. If you follow those tips, you have nothing to worry about. If you did inadvertently click a link that produces these fake alerts, the only recommended way to remove this Malware is a program called MalwareBytes. This is a free program and it should only be used for a single scan when you suspect a problem. After it runs, it will remove any Malware, then you should delete the program and change your browsing behavior. There is no need to have it run continuously.

https://www.malwarebytes.com


Feel free to click the search tab at the top of the screen and enter the name of your Anti-Virus for the problems that other users have experienced.

Dec 6, 2023 10:08 AM in response to Mac Jim ID

Thanks for your response.


I didn’t get a pop up on the webpage, i was alerted via my antivirus. It quarantined files as Trojan.gen and the original path showed them to be in Safari’s cache.


I put the website that I had been on into VirusTotal which searches the URL against different security vendors. 42 of them reported the site as being malicious with JavaScript trojans being identified.


I deleted the quarantined files, but they were originally in Safari’s cache. Following this all scans have come back clear, including Malwarebytes.


Im concerned as the files were actually in the cache, could they have been trigged and run outside of Safari?


My antivirus and a separate Malwarebytes scan both found these files and identified them as trojans but XProtect did not?


I checked VirusTotal as I was hoping it was a false positive, but they identified the site as malicious which has raised my concerns.

Dec 6, 2023 10:33 AM in response to MacKats

To specifically answer your questions, No, the cached Safari files cannot run outside of Safari.


And 2, XProtect did not stop these in your cache because there is no harm to your system.


As said before, the Javascript injections are simply code that is on the website that provides pop ups on the site that has been shown to be malicious if you act on it. These are typically the fake technical support ads with fake phone numbers for you to call. The website is usually getting paid. The method they allow for the ads to pop up are well known Javascript injections into the website.


It's the website that has this code and as with any website, the code is stored in the browser cache, so when you return to the site, the page is loaded from cache. This does not mean there is anything malicious going on in the cache while you are using your computer. It is just sitting there waiting to load the site again. When you do, the site loads from the cache including the pop up that was included on the website.


There is a very large percentage of sites on the internet that contain code to pop up ads, since usually that is the only way that they can pay for the servers running the site. A lot of those ads can be categorized as malicious since what they are telling you is not true and many are phishing you for information that they can use against you. This has nothing to do with the security of your computer as your computer is not infected with a virus and there is not chance of it spreading to other devices, which is what a virus does. A Trojan Horse is simply anything that claims to be one thing, but does another. This is true of a lot of the content you will find on the internet and is not an infection that need to be removed.

MacOS - Malware in Safari Cache!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.