New Mac OS X Backdoor Being Used for an Advanced Persistent Threat Campaign
July 2012 by Kaspersky Lab
On 27 June 2012, Kaspersky Lab’s experts intercepted a new wave of Mac OS X attacks targeting Uyghur activists that were part of an Advanced Persistent Threat (APT) campaign.
The APT attackers were sending customised emails to a select number of Uyghur activists who were presumed Mac users. The targeted emails included ZIP attachments inside them, which contained a malicious Mac OS X backdoor. To disguise the malware, the ZIP file showed a JPEG photo together with the malicious application.
Kaspersky Lab’s researchers analysed the Mac OS X backdoor and concluded that the malicious application is a new, and primarily undetected, variant of the MaControl backdoor, which supports both i386 and PowerPC Macs. However, Kaspersky Lab’s system* detects the malicious variant as “Backdoor.OSX.MaControl.b.”
When executed, the MaControl backdoor installs itself inside the victim’s Mac and connects to its Command and Control (C&C) server to get instructions. The backdoor allows its operator to list files, transfer files and generally run commands on the infected Mac computer at will. During the analysis of the malware, Kaspersky Lab identified its C&C server, which is located in China.
“Macs are growing in global popularity, even amongst high-profile people. Many choose to use Mac OS X computers because they believe it’s safer,” said Costin Raiu, Director of Global Research & Analysis at Kaspersky Lab. “However, we believe that as the adoption increases for Mac OS X, so will both mass-infection attacks and targeted campaigns. Attackers will continue to refine and enhance their methods to mix exploits and social engineering techniques to try and infect victims. Just like PC malware, this combination is commonly the most effective and cybercriminals will continue to challenge Mac OS X users’ security, both technically and psychologically.”
This is not the first time Kaspersky Lab has identified APT-driven attacks targeting Mac OS X users. In April 2012, Kaspersky Lab’s researchers published information about an active APT campaign, SabPub, which was attacking the Mac OS X platform by exploiting an MS Office vulnerability. Once the custom backdoor Trojan infected a victim’s machine, it was able to take screenshots of the user’s current session and execute commands on the infected computer.
Even though the notorious Flashfake Trojan, which helped to create a botnet of 700k+ Mac computers, was the most prominent example of Mac OS X infections, cybercriminals have continued to attack the platform, most notably in targeted campaigns. Several days ago, Apple pulled a claim from their website which said that “a Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.”
The Mac OS X security landscape continues to change in 2012 as cybercriminals target the platform with various types of techniques and methods.
For more information about the APT attack and the new Mac OS X MaControl Backdoor variant, please visit Securelist.com.
*The Backdoor.OSX.MaControl.b malware is detected and remediated by Kaspersky Anti-Virus 2011 for Mac.