Kaspersky Lab Discovers New Mac OS X Backdoor Variant Used in Targeted Attacks
Researchers from Russian security firm Kaspersky Lab today said they have discovered a new APT campaign that is using a new Mac OS X backdoor variant targeted at Uyghur activists.
According Costin Raiu, Director of Kaspersky’s Global Research and Analysis Team, the campaign uses malicious e-mails containing a JPEG photo and a Mac OS X app embedded in a ZIP file.
When executed, the malware installs itself on the Mac OS system system and then attempts to connect to a Command and Control (C&C) server to receive instructions. Once successfully installed, the backdoor enables the attacker to see files, transfer files and execute commands on the infected system.
“The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as ‘Backdoor.OSX.MaControl.b’,” Raiu noted a in a blog post.
“The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size,” he added. “The configuration block is obfuscated with a simple ‘substract 8’ operation.”
As the Mac OS grows in popularity and is increasingly adopted by high profile targets, Kaspersky Lab expects the number of Mac OS APT attacks to grow. To support that argument, Raiu notes the fact that The Dalai Lama is said to be a known Mac user.
While threats against Mac OS based systems may be growing, at the Kaspersky Lab Security Summit 2012 that took place this week in Moscow, Kaspersky Lab highlighted the fact that although there are many different devices and operating systems, 90% of PCs will remain Windows-based in the years to come.
Back in April, Kaspersky Lab researchers said that they found a link between an APT campaign known as Luckycat and a strain of Mac malware. The malware, known as SabPub, had been spotted spreading through malicious Microsoft Word documents exploiting the same Java vulnerability targeted by the Flashback Trojan. The malware is believed to have first appeared earlier this year, and works by installing a backdoor on a compromised machine that allows it to receive commands from a remote server.
The campaign was originally reported by Trend Micro and said to be going after targets ranging from Tibetan activists to military research, aerospace and energy companies in India and Japan. A subsequent investigation by the New York Times identified a former graduate student from Sichuan University, in Chengdu, China.
“Just like with PC malware, combination of exploits and social engineering tricks are generally the most effective; it won’t be surprising to see a spike in such attacks soon,” Raiu concluded.