14 DAY TRIAL // Code from a five-year-old backdoor program used on Windows has been integrated in a spyware program designed to compromise Mac OS X systems.
Researchers analyzing the OS X-ready malware, dubbed XSLCmd, discovered that the sample was verified on VirusTotal on August 10, when none of the engines available were able to detect it; this is a well-known practice of malware authors.
FireEye says that the piece is compatible with PowerPC and 64/86-bit CPU architectures; apart from the installation routine, a backdoor is also present and it executes as soon as the parent process is running.
“The backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past several years, having been updated many times in the process,” James Bennett and Mike Scott write in a blog post.
The capabilities present in the backdoor include opening a reverse shell along with actions for viewing files and transferring them to a remote location, or running self-update routines and installing other executable files.
However, compared to the Windows version, the OS X one features increased functionality that allows monitoring of the victim through logging key strokes and the computer screen.
The researchers believe that the XSLCmd backdoor is employed in cyber-espionage activities by a group they call GREF; according to historical intelligence, the group operates since at least 2009, and among the organizations they targeted there is the US Defense Industrial Base, as well as electronics and engineering companies all over the world.
Taking the form of a Mach-O executable file, the backdoor copies itself to “$HOME/Library/LaunchAgents/clipboardd” and creates a file in the folder that ensures the threat is launched at computer reboot, as soon as the victim logs in.
During the installation process, the malware checks for the operating system version and it appears that versions above 10.8 (Mountain Lion) are not taken into consideration. This could indicate that the authors either targeted victims running this edition of OS X or the piece was created specifically for Mountain Lion.
Porting Windows malware to other operating systems is not a new practice, and with the increased popularity of Apple machines, adapting spyware for OS X should come as no surprise.
The actors behind this threat are not only “advanced” but “adaptive” too, FireEye says in the blog post, as they managed to achieve compatibility of their toolkit with the new operating systems adopted by their victims and to obtain persistency on the infected machines.