| ID | X0007 |
| Aliases | |
| Platforms | OS X |
| Year | 2015 |
| Associated ATT&CK Software | None |
Geneio is a byproduct of the DYLD_PRINT_TIFILE vulnerability. Geneio can gain access to the MAC Keychain and persist until removed by the user. When the program is executed, it creates the following files:
- /Application/Genieo.app
- /Applications/Uninstall Genieo.app
- ~/Library/Application Support/com.genieoinnovation.Installer/Completer.app
- ~/Library/LaunchAgents/com.genieo.completer.download.plist
- ~/Library/LaunchAgents/com.genieo.completer.update.plist
- ~/Library/Safari/Extensions/Omnibar.safariextz
- ~/Library/Application Support/Genieo/
- /tmp/GenieoInstall.dmg
- /tmp/tmpinstallmc.dmg
Next, the program changes the default search engine and homepage to the domain search.genieo.com.
The program then installs the browser extension ~/Library/Safari/Extensions/Omnibar.safariextz.
When the user inputs a search query it will appear to be carried out using Google Search but the results will be from genieo.com.
| Name | Use |
|---|---|
| Install Additional Program | Geneio installs the browser extension ~/Library/Safari/Extensions/Omnibar.safariextz. It also creates the app files listed in the description above. [1] |
[1] https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/
[2] https://support.norton.com/sp/en/us/home/current/solutions/v103415336_EndUserProfile_en_us
[3] https://www.symantec.com/security_response/writeup.jsp?docid=2014-071013-3137-99