Dropper code and backdoor configuration file format updated

Jan 23, 2014 09:50 GMT  ·  By

Security researchers from Intego have spotted a new variant of OSX/Crisis, the Mac Trojan developed by Hacking Team, and utilized by governments in targeted cyberattacks.

OSX/Crisis.C is similar to previous variants. It’s distributed with the aid of a dropper that installs silently on targeted machines.

It runs on Mac OS X 10.5, 10.6, and 10.7, and it enables attackers to capture audio and video, take screenshots, harvest user locations, and connect to Wi-Fi.

In order to hide itself, Crisis patches the Activity Monitor. It drops its rootkit by tricking users into giving it system admin privileges.

This third version of the threat comes with a different backdoor configuration file format. Some of the dropper code has also been updated.

Intego spotted the Mac malware after it was uploaded by someone to VirusTotal as a file called “Frantisek,” which experts believe could be a reference to Pope Francis.

On Wednesday, only 6 of the 49 engines on VirusTotal detected the threat.