Malware Wiki

Pirrit

Summary: Adware that hitches a ride on malicious DMG files
Class: Adware
Class Summary: Adware is a type of software that delivers unsolicited advertisements, typically through pop-up messages or browser redirection. While not always harmful, adware can significantly degrade system performance and user experience. Adware often infiltrates systems through free software downloads or malicious websites. If adware made it on to the system, scrutinize any recent software downloads, especially free software, as it's often the source. Adware can often be removed by looking for odd LaunchAgents, LaunchDaemons, and unexpected 3rd-party browser extensions.
Description: Pirrit is a persistent macOS adware first seen in 2016. It emerged again in late 2021 with new activity. Typically installed via malicious DMG files, Pirrit changes browser settings, installs tracking extensions, and configures a local proxy to inject ads. It maintains persistence using a LaunchAgent and hidden user account. With full system control, it could theoretically steal sensitive user data. Pirrit often drops payloads in random 8-character directories under /tmp and Application Support. The adware is relatively advanced in its evasion techniques. For example, it checks for virtual machines before continuing execution to evade analysis and detection.
References: https://macos.checkpoint.com/families/Pirrit/

https://www.sentinelone.com/labs/a-threat-hunters-guide-to-the-macs-most-prevalent-adware-infections-2022/
Example Hashes: 64bb231008267ccba3c67426c4b2dfa5867b2edc

VirusTotal