Security researchers at Intego shined a light on a piece of Mac malware with some new tricks up its sleeve.
Researchers at Intego reported that a new variant of a rootkit detected as OSX/Crisis had reached their malware labs. Like previous variants, OSX/Crisis.C is delivered via a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, the authors of the malware – known as the Hacking Team – have introduced some new twists in the form of changes to the dropper code and the backdoor configuration file format.
“The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program,” blogged researcher Arnaud Abbati. “For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.”
When the dropper runs successfully, it hides several files in the user’s Library/Preferences folder in the home directory inside a fake application bundle named OvzD7xFr.app. Once that is done, it executes a backdoor and creates a LaunchAgent file called com.apple.mdworker.plist, Intego reported.
“Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer,” Abbati explained. “It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).”
“Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit,” the researcher added.
Meanwhile, researchers at Sophos spotted Mac malware targeting users through courier scam emails. If a recipient clicks on the link in the email, they are taken to a malicious domain, where users of Apple’s Safari browser are served with digitally-signed malware disguised as a PDF file.
“By default, on OS X 10.9.1 (the latest update to Mavericks, Apple’s most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen,” explained Paul Ducklin at Sophos.
But there is no PDF file; instead Safari has automatically unzipped the download, producing an Application bundle that has been given a PDF icon.
“OS X does try to advise you that you aren’t opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to “run a software program”, rather than merely to “open” the file,” Ducklin noted.
“If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it,” he added. “But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung.”