New Mac OS X Backdoor Being Used for an Advanced Persistent Threat Campaign

July 3, 2012 – Cyberthreats targeting the Mac OS X platform continue to appear in various types of attacks and techniques. On June 27, 2012, Kaspersky Lab's experts intercepted a new wave of Mac OS X attacks targeting Uyghur activists that were part of an Advanced Persistent Threat (APT) campaign.

The APT attackers were sending customized emails to a select number of Uyghur activists who were presumed Mac users. The targeted emails included ZIP attachments inside them, which contain a malicious Mac OS X backdoor. To disguise the malware, the ZIP file showed a JPEG photo together with the malicious application.

Kaspersky Lab’s researchers analyzed the Mac OS X backdoor and concluded that the malicious application is a new and primarily undetected variant of the MaControl backdoor, which supports both i386 and PowerPC Macs. However, Kaspersky Lab’s system detects the malicious variant as “Backdoor.OSX.MaControl.b.”

When executed, the MaControl backdoor installs itself inside the victim’s Mac and connects to its Command and Control (C&C) server to get instructions. The backdoor allows its operator to list files, transfer files and generally run commands on the infected Mac computer at will. During the analysis of the malware, Kaspersky Lab identified its C&C server, which is located in China.

“Macs are not only growing in popularity globally, but also with high-profile people who choose to use Mac OS X computers because they believe it’s safer,” said Costin Raiu, Director of Global Research & Analysis at Kaspersky Lab. “However, we believe that as the adoption increases for Mac OS X, the attacks for both mass-infection and targeted campaigns will also grow. Attackers will continue to refine and enhance their methods to mix exploits and social engineering techniques to try and infect victims. Just like PC malware, this combination is commonly the most effective and cybercriminals will continue to challenge Mac OS X users’ security, both technically and psychologically.”

This is not the first time Kaspersky Lab has identified APT-driven attacks targeting Mac OS X users. In April 2012, Kaspersky Lab’s researchers published information about an active APT campaign, SabPub, which was attacking the Mac OS X platform by exploiting an MS Office vulnerability. Once the custom backdoor Trojan infected a victim’s machine, it was able to take screenshots of the user’s current session and execute commands on the infected computer.

Even though the notorious Flashfake Trojan, which helped to create a botnet of 700k+ Mac computers, was the most prominent example of Mac OS X infections, cybercriminals have continued to attack the platform, most notably in targeted campaigns. Several days ago, Apple pulled a claim from their website which said that “a Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers.”

The Mac OS X security landscape continues to change in 2012 as cybercriminals target the platform with various types of techniques and methods.

*The Backdoor.OSX.MaControl.b malware is detected and remediated by Kaspersky Anti-Virus 2011 for Mac.

More information about the APT attack and the new Mac OS X MaControl Backdoor variant, please visit Securelist.com.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and Enterprises. The company currently operates in almost 200 countries across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2010. The rating was published in the IDC report Worldwide IT Security Products 2011-2015 Forecast and 2010 Vendor Shares – December 2011. The report ranked software vendors according to earnings from sales of endpoint security solutions in 2010.