Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer

Mac OS X Spyware Found On Users’ System Who Attended Oslo Freedom Forum

Researchers found malware which acts as a backdoor for OS X on a computer belonging to an activist attending the Oslo Freedom Forum this week.

Mac OS X Spyware Found On Users’ System Who Attended Oslo Freedom Forum

Researchers found malware which acts as a backdoor for OS X on a computer belonging to an activist attending the Oslo Freedom Forum this week.

Independent security researcher Jacob Appelbaum discovered the “new and previously unknown backdoor” on an African activist’s Mac during a workshop at The Oslo Freedom Forum, F-Secure’s Sean Sullivan wrote on the company blog. The workshop, ironically, was on how activists could secure their devices against government monitoring.

Mac Malware Macs.app

“Discussion at the #OsloFF just turned to discuss the backdoor I found on an Angolan dissident’s computer. Poor guy,” Appelbaum wrote on Twitter.

F-Secure is currently investigating the sample, but the backdoor application appears to take screenshots of the user’s computer and stores them in a folder in the user’s home directory called MacApp, Sullivan said. F-Secure researchers believe the application is related to an older sample, “HackBack,” and suspect it was commercially developed, Sullivan told SecurityWeek.

OSX/HackBack-A is an information-stealing Trojan designed to look for specific types of files, compress them into a zip file and upload them to a remote server. HackBack looks for various documents and images, including .txt, .doc, .eml, .pdf, .jpg, .xls, .log, .mbox, .pages, .tiff, and .ppt, among others.

While it’s not yet known how macs.app got on the activist’s computer, once installed, the application appended itself to the current user’s list of log-in items. This way, the app would run whenever the user is logged in. The application is designed to upload the screenshots to two remote servers, one in the Netherlands and the other in France. One of the servers is not responding and the other is returning a “public access forbidden” error message, Sullivan said.

Appelbaum called the malware “lame” since it was pretty simple and easily detected, but “deadly” because it was still able to spy on the activist. “The problem is that the author was good enough to get someone into mortal danger,” Appelbaum wrote on Twitter.

The fact that the application, macs.app, was signed with a valid Apple Developer ID, may be a sign that the developer was trying to bypass Apple’s Gatekeeper. Designed to protect Macs from malicious applications downloaded and installed from the Internet, the execution prevention technology from Apple exists in OS X Mountain Lion and OS X Lion v10.7.5.

Since the backdoor is not making any attempt to hide itself, users can look for the MacApp folder in their home directories to figure out whether the malware has infected their Macs. Users should also remove the macs.app program from the computer completely, and make sure it’s not included on the log-in items list.

“As we all know, the problem isn’t good malware or lame malware. The problem is being spied upon,” Morgan Marquis-Boire, a security researcher at the Citizen Lab, wrote on Twitter. Marquis-Boire, also a security engineer at Google, has done extensive research on FinFisher and FinSpy, “a remote monitoring” program used by government agencies to intercept communications.

Updated 2:02PM ET with additional commentary from F-Secure

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.