New Mac Backdoor Found in the Wild

  Mac OS X backdoor used in targeted attack
Security researchers warn of a newly identified Mac backdoor that was found in a malicious archive uploaded anonymously to Virus Total last month.

Security researchers warn of a newly identified Mac backdoor that was found in a malicious archive uploaded anonymously to Virus Total last month.

The Virus Total archive is called "PortalCurrent events-2009 July 5.rar" suggesting that it's a local copy of the Wikipedia July 5, 2009, current events page.

The archive has clearly been modified because the folder includes photos from events on June 15th 2011 as well as two executable files, one for Windows and one for Mac.

The files are installers for a backdoor detected by Microsoft as Olyx which has separate versions for both Microsoft's and Apple's operating systems.

"The Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges.

"It disguises itself as a Google application support file by creating a folder named 'google' in the /Library/Application Support directory, where the backdoor installs as 'startp'," security researchers from Microsoft explain.

The malware also configures itself to run at user logon and calls home to a remote server. Attackers can control it to download and upload files from and to the infected computers.

One interesting aspect of this backdoor is that both the Windows and Mac executables were signed with a valid digital certificate issued to a Chinese company by the WoSign Code Signing Authority.

The certificate has since been revoked which suggests that the malware's creators originally stole the company's private key. Digitally signed malware is extremely rare, one of the few examples being the infamous Stuxnet industrial sabotage worm.

All of these characteristics suggest that the backdoor was part of a targeted attack, but the actual target remains a mystery. Nevertheless, it is proof that Mac users are being targeted by increasingly sophisticated malware.

Comments