Dropper code and backdoor configuration file format updated
Security researchers from Intego have spotted a new variant of OSX/Crisis, the Mac Trojan developed by Hacking Team, and utilized by governments in targeted cyberattacks.OSX/Crisis.C is similar to previous variants. It’s distributed with the aid of a dropper that installs silently on targeted machines.
It runs on Mac OS X 10.5, 10.6, and 10.7, and it enables attackers to capture audio and video, take screenshots, harvest user locations, and connect to Wi-Fi.
In order to hide itself, Crisis patches the Activity Monitor. It drops its rootkit by tricking users into giving it system admin privileges.
This third version of the threat comes with a different backdoor configuration file format. Some of the dropper code has also been updated.
Intego spotted the Mac malware after it was uploaded by someone to VirusTotal as a file called “Frantisek,” which experts believe could be a reference to Pope Francis.
On Wednesday, only 6 of the 49 engines on VirusTotal detected the threat.