14 DAY TRIAL // A malicious package created for Mac systems integrates a legitimate component for intercepting keystrokes that is freely available on code sharing websites.
The sample has been dubbed Ventir, and apart from keylogging capabilities, it also contains a backdoor and a spying utility.
Open-source kernel extension used for nefarious purposes
Either because they are too lazy to produce the code themselves or because it simply suits their purpose as it is, cybercriminals have turned to publicly available code to carry out their malicious activities, and this is not a new trend.
Malware researchers from Kaspersky have detected a modular malware for OS X that relies on LogKext, an open-source software package for capturing user keyboard input.
Detected by the company’s products as “not-a-virus:Monitor.OSX.LogKext.c,” LogKext hooks into the kernel of the operating system to achieve its purpose.
The item is a legitimate file that has been abandoned by its original developer and passed to a different maintainer that updated it to work on OS X Mavericks (10.9); it is freely available for download from GitHub.
Mikhail Kuzin of Kaspersky says that LogKext is added to the compromised computer only if the dropper successfully obtains elevated privileges to the system.
LogKext has three files whose functionality is to intercept the keystrokes (updated.kext), match the key codes to the characters associated with these codes (Keymap.plist), and log the keystrokes along with some system events (EventMonitor agent).
Additional Ventir components
The first thing the malware package does after being launched is to check if it has root access. Depending on this, it proceeds to install all the files of the keylogging component it includes, or just the agent that logs the name of the currently active window and the keystrokes; this also determines the installation path of the Trojan files.
The backdoor is used to communicate with the command and control (C&C) server and receive commands. These can be anything from rebooting the computer, removing the malware from the system, downloading updates from the C&C machine and executing commands, to uploading data to the system controlled by the attackers.
EventMonitor spying component is used only if elevated privileges are not obtained. “Immediately before processing a keystroke, the malware determines the name of the process whose window is currently active,” says Kuzin in a blog post.
The researcher says that Ventir has a similar structure with another malware piece, Morcut, which is also known as Crisis. They share similar functionality and have the same number of modules.