OSX/NewTab

OSX/NewTab is a threat that inserts tabs into the Safari browser on macOS systems. Although the purposes of the attack aren't known, browser-based injections can be responsible for collecting information, redirecting users to harmful websites, generating fake ad traffic and other security issues. Users should update any compatible anti-malware solutions for removing OSX/NewTab from their browsers expediently.

A Browser Downgrade Unasked for and Invisible

Although the majority of Trojans, worms, and other threats aim for the broadest possible set of victims – meaning Windows users – minorities like Android, Linux, and macOS users also are at risk. OSX/NewTab, which was first caught operating in the wild in April of 2019, is a browser-based threat with unclear motives and atypical environmental favoritism. In this case, the Trojan's campaign is attacking macOS's Safari browser, although no one is yet sure why it's doing so.

OSX/NewTab's primary behavior is injecting additional, unwanted tabs into the Safari Web browser. In this respect, it could invite comparison to Potentially Unwanted Programs and browser-hijacking extensions that are only low-level threats. Nonetheless, after further assembling of details surrounding its distribution, installation, and persistence exploits, malware analysts are confirming it as a threatening and deliberately-hidden program.

OSX/NewTab uses a legitimate Apple Developer ID for making itself seems like 'White Hat' software, and includes unknown forms of obfuscation for hiding from security, AV and anti-malware products. Its installers are using, in at least some cases, traditional phishing tactics for getting onto users' computers, such as pretending that it's a government forms software or a recipe-organizing application. Users might be encountering the threat through malvertising, or compromised Web advertisement, or via e-mail attachments or even social networking messages.

What's the Harm a Little Tab can Do

The long-term motivations behind OSX/NewTab's campaign are mysterious. Still, the significant work put into its disguises and distribution implies either espionage or en masse for-profit campaigns, rather than mere pranks or random sabotage. Some of the security concerns that malware researchers advise watching for while dealing with browser-injecting Trojans such as OSX/NewTab include:

• Drive-by-download can occur through contact with Exploit Kits, corrupted websites, hacked websites or compromised advertising networks. These downloads may use disguises such as software updates or typo-squatting domains for tricking users into accepting them, as well as script-based vulnerabilities.
• Threats also may use additional tabs or tab-injected content for driving traffic to a revenue source for the criminals, such as an advertisement. Excessive advertising traffic may endanger your computer (as seen above) or cause performance problems.
• Many browser-based threats also will hijack your browser's homepage or search settings.
• Besides delivering threatening software, browser hijackings and other attacks can provoke contact with Potentially Unwanted Programs, such as unwanted extensions or questionable security and cleaner products, like the Mac Auto Fixer.
• Lastly but most threatening, threats may insert scripts, redirect your browser, and cause other side effects for intercepting and collecting information, including credit card credentials and passwords. Such techniques are particularly standard in Brazilian banking Trojans like NovaLoader.

Which of these end goals are OSX/NewTab's is uncertain. Until more information on its Web resources and behavior is available, users should respond to it as a high-level threat and use updated macOS anti-malware products for removing OSX/NewTab immediately.

For now, OSX/NewTab is dodging many of the heuristic methods that security programs use for flagging threatening behavior successfully. Hopefully, that state of affairs is only temporary, as the cyber-security industry races to catch up with a months-old browser abuser.