Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Mac Malware Offers ‘Pint-sized’ Problem

Earlier this week, Mac security firm Intego discovered a new type of malware for Mac OS X, which will pose a bit of a problem when it comes to protection, given its use of Open SSH. Yet, while there is speculation, the methods used to propagate the malicious code remains unknown.

Earlier this week, Mac security firm Intego discovered a new type of malware for Mac OS X, which will pose a bit of a problem when it comes to protection, given its use of Open SSH. Yet, while there is speculation, the methods used to propagate the malicious code remains unknown.

Intego calls their latest discovery a “Pint-sized backdoor” given its nature, but they’ve also shutdown the avenues of communication the Trojan’s operators were using at the time of its discovery. So for now, it’s a non-threat, but the way the Trojan operates is what made Intego sit-up and take notice.

“The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories,” the AV firm wrote in a brief on the malware.

According to their research, the malware was using a communication address of corp-aapl.com, the name for Apple’s stock symbol. Intego says that their research thus far has led them to believe that the threat likely starts with an exploit that gets the malware past Gatekeeper, and once installed opens a reverse-shell with the secured connection. This implicates drive-by infections, or other types of socially-engineered attacks.

Yet, because the processes used for communication rely on Perl scripts, if a person knows what they’re looking for the threat is easily spotted on an infected system. Otherwise, it can run in the background with impunity.

“That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls,” Intego added.

Again, for now the main communication lines are clipped, but the code could easily be reproduced and new domains added for usage. So while they watch for new variants, Intego says that up-to-date AV signatures will detect this latest threat.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.