Security Experts:

Windows Backdoor Ported to Mac OS X, Used in Targeted Attacks

A Windows backdoor used in numerous attacks by a certain threat actor group has been ported to Mac OS X and fitted with new features, researchers at FireEye reported.

According to the security firm, the Windows version of the backdoor called XSLCmd has been used by a group dubbed "GREF," which has been conducting cyber operations since at least 2009. The advanced persistent threat (APT) actor has targeted foundations and other non-governmental organizations (particularly ones focusing on Asia), engineering and electronics companies from all over the world, and the United States Defense Industrial Base.

Mac OS X Malware The OS X variant of XSLCmd, OSX.XSLCmd, was analyzed by FireEye after a sample was uploaded to VirusTotal on Aug. 10. Researchers say the Windows version – which enables attackers to transfer files, install other malware, and obtain a reverse shell on infected devices – has been used in numerous targeted attacks over the past years. In addition to the features found in the Windows variant, OSX.XSLCmd is also capable of capturing screenshots and logging keystrokes.

The threat arrives on targeted devices as a universal Mach-O executable that works on PowerPC, X86 and x86-64 CPUs.

"The code within contains both an installation routine that is carried out the first time it is executed on a system, and the backdoor routine which is carried out after confirming that its parent process is launchd (the initial user mode process of OS X that is responsible for, amongst other things, launching daemons)," FireEye's James Bennett and Mike Scott wrote in a blog post.

As far as the GREF group is concerned, FireEye says it is one of the few APT threat actors that doesn't use phishing as its primary attack vector. Instead, they prefer relying on strategic Web compromise (SWC) attacks, and are one of the early adopters of this technique, also known as watering hole attacks. In 2010, when the group was particularly active, GREF had access to several zero-day exploits affecting Adobe Flash and Internet Explorer, which they used in both phishing and SWC attacks.

In this period, they breached the websites of organizations such as the Center for Defense Information, the National Defense Industrial Association, the Interservice/Industry Training, Simulation and Education Conference, and the satellite company Millennium Space Systems. On the homepages of these websites, the attackers planted links to exploit code. The links were inserted in the Google Analytics code block to make them more difficult to detect.

"The TTP that most differentiates GREF from other APT threat groups is their unrelenting targeting of web server vulnerabilities to both gain entry to targeted organizations, as well as to get new platforms for SWC attacks. This threat group appears to devote more resources (than most other groups) in attempting to penetrate web servers, and generally, they make no attempt to obscure the attacks, often generating gigabytes of traffic in long-running attacks," FireEye researchers said.

XSLCmd is the backdoor used most often by the group, but they've also relied on malware such as ERACS (Trojan.LURKER), Poison Ivy, Gh0st, 9002/HOMEUNIX, HKDoor, Briba and Kaba/SOGU.

OS X malware is being increasingly used in targeted attacks. Over the past years, such threats have been spotted in campaigns including IceFog, The Mask, and various operations targeting Tibetan and Uyghur activists.

"Not only have [threat actors] adopted new Windows-based backdoors over time, as Apple’s OS X platform has increased in popularity in many companies, they have logically adapted their toolset to match in order to gain and maintain a persistent foothold in the organizations they are targeting," researchers noted. "Many people also consider it to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users."

Related Reading: Mac Security Products Put to the Test

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.