Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Mac OS X Backdoor Found Targeting Uyghur Activists

Kaspersky Lab Discovers New Mac OS X Backdoor Variant Used in Targeted Attacks

Researchers from Russian security firm Kaspersky Lab today said they have discovered a new APT campaign that is using a new Mac OS X backdoor variant targeted at Uyghur activists.

Kaspersky Lab Discovers New Mac OS X Backdoor Variant Used in Targeted Attacks

Researchers from Russian security firm Kaspersky Lab today said they have discovered a new APT campaign that is using a new Mac OS X backdoor variant targeted at Uyghur activists.

According Costin Raiu, Director of Kaspersky’s Global Research and Analysis Team, the campaign uses malicious e-mails containing a JPEG photo and a Mac OS X app embedded in a ZIP file.

When executed, the malware installs itself on the Mac OS system system and then attempts to connect to a Command and Control (C&C) server to receive instructions. Once successfully installed, the backdoor enables the attacker to see files, transfer files and execute commands on the infected system.

“The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as ‘Backdoor.OSX.MaControl.b’,” Raiu noted a in a blog post.

Mac OS X Targeted Attacks“The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size,” he added. “The configuration block is obfuscated with a simple ‘substract 8’ operation.”

As the Mac OS grows in popularity and is increasingly adopted by high profile targets, Kaspersky Lab expects the number of Mac OS APT attacks to grow. To support that argument, Raiu notes the fact that The Dalai Lama is said to be a known Mac user.

While threats against Mac OS based systems may be growing, at the Kaspersky Lab Security Summit 2012 that took place this week in Moscow, Kaspersky Lab highlighted the fact that although there are many different devices and operating systems, 90% of PCs will remain Windows-based in the years to come.

Back in April, Kaspersky Lab researchers said that they found a link between an APT campaign known as Luckycat and a strain of Mac malware. The malware, known as SabPub, had been spotted spreading through malicious Microsoft Word documents exploiting the same Java vulnerability targeted by the Flashback Trojan. The malware is believed to have first appeared earlier this year, and works by installing a backdoor on a compromised machine that allows it to receive commands from a remote server.

The campaign was originally reported by Trend Micro and said to be going after targets ranging from Tibetan activists to military research, aerospace and energy companies in India and Japan. A subsequent investigation by the New York Times identified a former graduate student from Sichuan University, in Chengdu, China.

“Just like with PC malware, combination of exploits and social engineering tricks are generally the most effective; it won’t be surprising to see a spike in such attacks soon,” Raiu concluded.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...