Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Windows Backdoor Ported to Mac OS X, Used in Targeted Attacks

A Windows backdoor used in numerous attacks by a certain threat actor group has been ported to Mac OS X and fitted with new features, researchers at FireEye reported.

A Windows backdoor used in numerous attacks by a certain threat actor group has been ported to Mac OS X and fitted with new features, researchers at FireEye reported.

According to the security firm, the Windows version of the backdoor called XSLCmd has been used by a group dubbed “GREF,” which has been conducting cyber operations since at least 2009. The advanced persistent threat (APT) actor has targeted foundations and other non-governmental organizations (particularly ones focusing on Asia), engineering and electronics companies from all over the world, and the United States Defense Industrial Base.

Mac OS X Malware The OS X variant of XSLCmd, OSX.XSLCmd, was analyzed by FireEye after a sample was uploaded to VirusTotal on Aug. 10. Researchers say the Windows version – which enables attackers to transfer files, install other malware, and obtain a reverse shell on infected devices – has been used in numerous targeted attacks over the past years. In addition to the features found in the Windows variant, OSX.XSLCmd is also capable of capturing screenshots and logging keystrokes.

The threat arrives on targeted devices as a universal Mach-O executable that works on PowerPC, X86 and x86-64 CPUs.

“The code within contains both an installation routine that is carried out the first time it is executed on a system, and the backdoor routine which is carried out after confirming that its parent process is launchd (the initial user mode process of OS X that is responsible for, amongst other things, launching daemons),” FireEye’s James Bennett and Mike Scott wrote in a blog post.

As far as the GREF group is concerned, FireEye says it is one of the few APT threat actors that doesn’t use phishing as its primary attack vector. Instead, they prefer relying on strategic Web compromise (SWC) attacks, and are one of the early adopters of this technique, also known as watering hole attacks. In 2010, when the group was particularly active, GREF had access to several zero-day exploits affecting Adobe Flash and Internet Explorer, which they used in both phishing and SWC attacks.

In this period, they breached the websites of organizations such as the Center for Defense Information, the National Defense Industrial Association, the Interservice/Industry Training, Simulation and Education Conference, and the satellite company Millennium Space Systems. On the homepages of these websites, the attackers planted links to exploit code. The links were inserted in the Google Analytics code block to make them more difficult to detect.

“The TTP that most differentiates GREF from other APT threat groups is their unrelenting targeting of web server vulnerabilities to both gain entry to targeted organizations, as well as to get new platforms for SWC attacks. This threat group appears to devote more resources (than most other groups) in attempting to penetrate web servers, and generally, they make no attempt to obscure the attacks, often generating gigabytes of traffic in long-running attacks,” FireEye researchers said.

XSLCmd is the backdoor used most often by the group, but they’ve also relied on malware such as ERACS (Trojan.LURKER), Poison Ivy, Gh0st, 9002/HOMEUNIX, HKDoor, Briba and Kaba/SOGU.

OS X malware is being increasingly used in targeted attacks. Over the past years, such threats have been spotted in campaigns including IceFog, The Mask, and various operations targeting Tibetan and Uyghur activists.

“Not only have [threat actors] adopted new Windows-based backdoors over time, as Apple’s OS X platform has increased in popularity in many companies, they have logically adapted their toolset to match in order to gain and maintain a persistent foothold in the organizations they are targeting,” researchers noted. “Many people also consider it to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users.”

Related Reading: Mac Security Products Put to the Test

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.