Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mac Malware Variant Updated With New Tricks

Security researchers at Intego shined a light on a piece of Mac malware with some new tricks up its sleeve.

Security researchers at Intego shined a light on a piece of Mac malware with some new tricks up its sleeve.

Researchers at Intego reported that a new variant of a rootkit detected as OSX/Crisis had reached their malware labs. Like previous variants, OSX/Crisis.C is delivered via a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, the authors of the malware – known as the Hacking Team – have introduced some new twists in the form of changes to the dropper code and the backdoor configuration file format.

Mac Malware“The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program,” blogged researcher Arnaud Abbati. “For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.”

When the dropper runs successfully, it hides several files in the user’s Library/Preferences folder in the home directory inside a fake application bundle named OvzD7xFr.app. Once that is done, it executes a backdoor and creates a LaunchAgent file called com.apple.mdworker.plist, Intego reported.

“Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer,” Abbati explained. “It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).”

Advertisement. Scroll to continue reading.

“Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit,” the researcher added.

Meanwhile, researchers at Sophos spotted Mac malware targeting users through courier scam emails. If a recipient clicks on the link in the email, they are taken to a malicious domain, where users of Apple’s Safari browser are served with digitally-signed malware disguised as a PDF file.

“By default, on OS X 10.9.1 (the latest update to Mavericks, Apple’s most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen,” explained Paul Ducklin at Sophos.

But there is no PDF file; instead Safari has automatically unzipped the download, producing an Application bundle that has been given a PDF icon.

“OS X does try to advise you that you aren’t opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to “run a software program”, rather than merely to “open” the file,” Ducklin noted.

“If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it,” he added. “But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.