When you download an application or installer from legitimate website, you establish a level of trust expecting not to be tricked or deceived.
Distribution:
The installer is distributed by Starfield a technology and research branch of Go Daddy Group. If you are Go Daddy user, when you logged-in, this tool is available in the tool section as:
1) Desktop Notified Installer
2) It is also offered as “Web-Based Email Tools plugin” promising that this tool will enable image paste.
It’s possible that this installer will be distributed elsewhere.
When you download the installer, you’ll notice two things:
1) It is telling you “Double-click to Install”
2) It is not the installer itself, instead it is a shortcut link.
Why?
It is a social engineering trick. It attempts to trigger user’s immediate impulse to respond based from a command or instruction.
total 8

In this stage, it is already too late because even if you decide to discard or cancel the authorization, the tricky ‘StarfieldInstall.app’ has already installed itself as follows:
1) It creates a ‘Starfield’ folder in the Application directory. In this folder, you’ll find a copy of itself and an update component.
/Application/Starfield/StarfieldInstall.app
/Application/Starfield/starfieldupdate.app
2) It is set to run at login by adding ‘starfieldupdate’ in the Login Items.
3) It is always running in the background.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Starfield 221 test txt REG 14,2 93668 1294527 /Applications/Starfield/starfieldupdate.app/Contents/MacOS/StarfieldUpdate
- OS version and CPU Type
- Local user
- Previous installation
- Starfield installation component versions
And performs the following:
- Checks user privilege on the system by checking if user is admin or if the user can be elevated to admin.
- StarfieldInstall launches ‘starfieldupdate.app’ which is kept in the background.
- ‘starfieldupdate.app’ is responsible for initial installation (first run) and updates.
- The initial installation path of Starfield would be:
- Dumps data log of its activity especially the installation. Notice the name ‘starfield’ in the ~/Library/Logs/ folder.
The payload is mainly handled by ‘StarfieldInstall.app’. When the user inputs the password, the installation continues by sending a HTTP request to the server as follows:
‘Moduleinfo’ is a JSON text which ‘StarfieldInstall.app’ parses and evaluating the content of a JSON string. For example, it reads and evaluate which package appropriate to the user: Windows or Mac.
{ "win" :
…
, "mac" :
It also evaluates the installation requirement, example:
StarfieldInstall’ compares this requirement defined by JSON file ‘moduleinfo’ before it downloads, extracts and run the latest package resulting to installation of the following:
starfieldinstall.zip
starfieldupdate.zip
fileedittool64.plugin.zip
fileedittool.zip
WBETools14.plugin
wbetools64.zip
copypaste.xpi
zoomext.xpi
offdavhelper_mac4.zip
offdavhelper_mac.zip
offsettings.bundle.zip
wbesettings.bundle.zip
drivemapreconnect.zip
backupstatus.zip
offsync_mac.zip
desktoptools.zip
wbedesktopnotifier.zip
So far we have 17 files here and 4 of these files do not require root password. It is important to take note that ‘StarfieldUpdate.app’ is always running in the background and launch ‘StarfieldInstall.app’ to perform the following:
– Evaluating JSON text ‘moduleinfo’ for update
– Download and installation of latest versions
– Discovery of products installed
– Running privileged shell command
It installs two Firefox extensions and plugins, which is persistent. It means that you can’t just click ‘uninstall’ to remove it . In Firefox, click Tools and Addons to view the installed Extensions and Plugins as shown below:
Another notable process created is ‘OffSyncService’ which is always running in the background .
In conclusion, this is a nasty and abusive application that performs remote activities and installation of unwanted plugins and application without user consent. It is a bloatware and a backdoor.