Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Mac OS X Backdoor Found Targeting Uyghur Activists

Kaspersky Lab Discovers New Mac OS X Backdoor Variant Used in Targeted Attacks

Researchers from Russian security firm Kaspersky Lab today said they have discovered a new APT campaign that is using a new Mac OS X backdoor variant targeted at Uyghur activists.

Kaspersky Lab Discovers New Mac OS X Backdoor Variant Used in Targeted Attacks

Researchers from Russian security firm Kaspersky Lab today said they have discovered a new APT campaign that is using a new Mac OS X backdoor variant targeted at Uyghur activists.

According Costin Raiu, Director of Kaspersky’s Global Research and Analysis Team, the campaign uses malicious e-mails containing a JPEG photo and a Mac OS X app embedded in a ZIP file.

When executed, the malware installs itself on the Mac OS system system and then attempts to connect to a Command and Control (C&C) server to receive instructions. Once successfully installed, the backdoor enables the attacker to see files, transfer files and execute commands on the infected system.

“The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as ‘Backdoor.OSX.MaControl.b’,” Raiu noted a in a blog post.

Mac OS X Targeted Attacks“The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size,” he added. “The configuration block is obfuscated with a simple ‘substract 8’ operation.”

As the Mac OS grows in popularity and is increasingly adopted by high profile targets, Kaspersky Lab expects the number of Mac OS APT attacks to grow. To support that argument, Raiu notes the fact that The Dalai Lama is said to be a known Mac user.

While threats against Mac OS based systems may be growing, at the Kaspersky Lab Security Summit 2012 that took place this week in Moscow, Kaspersky Lab highlighted the fact that although there are many different devices and operating systems, 90% of PCs will remain Windows-based in the years to come.

Back in April, Kaspersky Lab researchers said that they found a link between an APT campaign known as Luckycat and a strain of Mac malware. The malware, known as SabPub, had been spotted spreading through malicious Microsoft Word documents exploiting the same Java vulnerability targeted by the Flashback Trojan. The malware is believed to have first appeared earlier this year, and works by installing a backdoor on a compromised machine that allows it to receive commands from a remote server.

Advertisement. Scroll to continue reading.

The campaign was originally reported by Trend Micro and said to be going after targets ranging from Tibetan activists to military research, aerospace and energy companies in India and Japan. A subsequent investigation by the New York Times identified a former graduate student from Sichuan University, in Chengdu, China.

“Just like with PC malware, combination of exploits and social engineering tricks are generally the most effective; it won’t be surprising to see a spike in such attacks soon,” Raiu concluded.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.