Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Mac OS X Backdoor Signed With Valid Developer ID Found on Activist’s Computer

Mac OS X Spyware Found On Users’ System Who Attended Oslo Freedom Forum

Researchers found malware which acts as a backdoor for OS X on a computer belonging to an activist attending the Oslo Freedom Forum this week.

Mac OS X Spyware Found On Users’ System Who Attended Oslo Freedom Forum

Researchers found malware which acts as a backdoor for OS X on a computer belonging to an activist attending the Oslo Freedom Forum this week.

Independent security researcher Jacob Appelbaum discovered the “new and previously unknown backdoor” on an African activist’s Mac during a workshop at The Oslo Freedom Forum, F-Secure’s Sean Sullivan wrote on the company blog. The workshop, ironically, was on how activists could secure their devices against government monitoring.

Mac Malware Macs.app

“Discussion at the #OsloFF just turned to discuss the backdoor I found on an Angolan dissident’s computer. Poor guy,” Appelbaum wrote on Twitter.

F-Secure is currently investigating the sample, but the backdoor application appears to take screenshots of the user’s computer and stores them in a folder in the user’s home directory called MacApp, Sullivan said. F-Secure researchers believe the application is related to an older sample, “HackBack,” and suspect it was commercially developed, Sullivan told SecurityWeek.

OSX/HackBack-A is an information-stealing Trojan designed to look for specific types of files, compress them into a zip file and upload them to a remote server. HackBack looks for various documents and images, including .txt, .doc, .eml, .pdf, .jpg, .xls, .log, .mbox, .pages, .tiff, and .ppt, among others.

While it’s not yet known how macs.app got on the activist’s computer, once installed, the application appended itself to the current user’s list of log-in items. This way, the app would run whenever the user is logged in. The application is designed to upload the screenshots to two remote servers, one in the Netherlands and the other in France. One of the servers is not responding and the other is returning a “public access forbidden” error message, Sullivan said.

Appelbaum called the malware “lame” since it was pretty simple and easily detected, but “deadly” because it was still able to spy on the activist. “The problem is that the author was good enough to get someone into mortal danger,” Appelbaum wrote on Twitter.

Advertisement. Scroll to continue reading.

The fact that the application, macs.app, was signed with a valid Apple Developer ID, may be a sign that the developer was trying to bypass Apple’s Gatekeeper. Designed to protect Macs from malicious applications downloaded and installed from the Internet, the execution prevention technology from Apple exists in OS X Mountain Lion and OS X Lion v10.7.5.

Since the backdoor is not making any attempt to hide itself, users can look for the MacApp folder in their home directories to figure out whether the malware has infected their Macs. Users should also remove the macs.app program from the computer completely, and make sure it’s not included on the log-in items list.

“As we all know, the problem isn’t good malware or lame malware. The problem is being spied upon,” Morgan Marquis-Boire, a security researcher at the Citizen Lab, wrote on Twitter. Marquis-Boire, also a security engineer at Google, has done extensive research on FinFisher and FinSpy, “a remote monitoring” program used by government agencies to intercept communications.

Updated 2:02PM ET with additional commentary from F-Secure

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed as CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.