Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mac Malware Variant Updated With New Tricks

Security researchers at Intego shined a light on a piece of Mac malware with some new tricks up its sleeve.

Security researchers at Intego shined a light on a piece of Mac malware with some new tricks up its sleeve.

Researchers at Intego reported that a new variant of a rootkit detected as OSX/Crisis had reached their malware labs. Like previous variants, OSX/Crisis.C is delivered via a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, the authors of the malware – known as the Hacking Team – have introduced some new twists in the form of changes to the dropper code and the backdoor configuration file format.

Mac Malware“The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program,” blogged researcher Arnaud Abbati. “For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.”

When the dropper runs successfully, it hides several files in the user’s Library/Preferences folder in the home directory inside a fake application bundle named OvzD7xFr.app. Once that is done, it executes a backdoor and creates a LaunchAgent file called com.apple.mdworker.plist, Intego reported.

“Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer,” Abbati explained. “It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).”

“Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit,” the researcher added.

Meanwhile, researchers at Sophos spotted Mac malware targeting users through courier scam emails. If a recipient clicks on the link in the email, they are taken to a malicious domain, where users of Apple’s Safari browser are served with digitally-signed malware disguised as a PDF file.

“By default, on OS X 10.9.1 (the latest update to Mavericks, Apple’s most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen,” explained Paul Ducklin at Sophos.

But there is no PDF file; instead Safari has automatically unzipped the download, producing an Application bundle that has been given a PDF icon.

“OS X does try to advise you that you aren’t opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to “run a software program”, rather than merely to “open” the file,” Ducklin noted.

“If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it,” he added. “But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...