'Lame' Mac malware finds success in spearphishing

'Lame' Mac malware finds success in spearphishing

Summary: Barely concealed security threat found on activist's Mac.

TOPICS: Security

Security researchers have found a new but technically lame piece of Mac malware that has been used to spy on activists.

Security researcher Jacob Appelbaum recently discovered the malware on the Mac of an Angolan activist. He used the case to discuss security with activists from across the globe at the Oslo Freedom Forum in Norway this week. 

According to the researcher, the Angolan was the victim of a spearphishing attack and had received emails that duped them into installing the malware. 

The malware takes shots of the victim's screen and dumps them in a folder called MacsApp. Captured files are then relayed to two remote servers.

The threat was not detected by any antivirus product when Appelbaum uploaded it to Virus Total earlier this week, however the malware also does very little to hide itself from the victim.

The malware appears in a Mac's LogIn items list as a "Macs" application that is configured to open when the victim logs in.

2013-05-17 02.13.17 pm
Malware launches in plain sight. Image credit: F-Secure

Finnish security firm F-Secure added a signature to its product this week and has called it Backdoor:OSX/KitM.A. Sean Sullivan, a researcher with the vendor, noted the malware was signed with an Apple Developer ID. Apple's Gatekeeper on OSX Mountain Lion block apps downloaded from outside its own App Store unless they are signed with the developer ID.

Appelbaum provided a sample of the malware to Rapid7 malware researcher Claudio Guarnieri who reckons it is technically "lame".

"The malware itself is just an extremely lame piece of code that wraps around command line utilities to take screenshots, copy files and upload them," Guarnieri told ZDNet.

Still, as he noted on Twitter, it does work. 

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So it is lame because it was found on a mac?

    Most mac users I know wouldn't know how to look in the login items
    • To be fair....

      Neither would the majority of Windows users. It doesn't take much with most non-technical users.
      • Agree about most users

        Most non-technical users need help with some very basic issues so a list of login items or similar just glazes the eyes. In fact on most systems one would need to research what should be listed based on the installed hardware and software. So even a knowledgable person with an unfamiliar system would not necessarily know what should be there immediately; do not know the full configuration of the system.
    • You also have to be tricked into installing it.

      And then the first time it runs, you'll have to agree to open it because it was downloaded from the internet. So, like most malware these days (Windows included), it basically requires fooling the user into installing the software.
  • It relies on the naivete of users...

    Which is unbounded. That's why we continue to get Nigerian bank scam SPAM. Someone always falls for it.
  • Windows is immune to this

    Kudos to Microsoft. Makes me very happy I'm not stuck with osx.
    • Too bad PCs arent immune to windows

      • What's the matter?

        Mad because your Mac is vulnerable? Sucks to be you I guess. Troll.
    • Still waiting for anyone to prove me wrong

      I've made a statement: Windows is immune to this.

      I've seen a lot of huffing and puffing, a lot of deflection, a lot of blaming the user. I've yet to see anyone actually prove my statement wrong.
      • Oh Toddy!

        Even though I know your reply will involve "I was talking about Backdoor:OSX/KitM.A", which of course won't run in Windows, perhaps you should take a look here: http://www.cknow.com/cms/vtutor/number-of-viruses.html

        I love the opening statement:
        "There are more MS-DOS/Windows viruses than all other types of viruses combined (by a large margin). Estimates of exactly how many there are vary widely and the number is constantly growing."
        • And?

          You've just argued that there is more malware that affects Windows based systems vs Mac OSX based systems - which no one has denied. I find it funny that all of you Mac people who laved to claim that Macs are invulnerable to any malware are consistently proven wrong about that and rather than accept the fact that NO OS in invulnerable you bring up the whole lame "well there is more malware on Windows" argument. Why is that?
      • Hum, what is your point?

        Macs are immune to the gazillion Windows malware as well. Windows, Mac, Linux, etc. are all immune to some of each others malware. Some malware is platform specific. Again, what is your point?
    • Really??

      So if Windows users click a bad link in email nothing will happen? Of course this malware doesn't affect Windows, but there are millions of others that do. Yes this is a user education issue, if you click a poisoned link you get poisoned.
      • Ding, Ding, Ding!

        Finally the voice of reason! However I can see Toddy's point as all the rabid frothing at the mouth Mac zealots have claimed that Macs are invulnerable, that there IS NO malware that affects Macs, that only Windows machines get malware... and I for one find it amusing that they are finding out just how wrong they were.
        • What are you going on about?

          Point to a single person in this thread who has said anything of the sort? (not the nameless frothing Mac hordes, or whatever that pretended to be about)
          • It would be silly to write that in this blog

            But go to any Windows malware blog story and the horde is there, telling us to switch to Mac because then you won't get any malware, usually followed by "proof" in the form of "osx is immune to this particular piece of malware".
      • Indeed

        I must have told and shown our users at least 100 times. Don't click a suspect link, don't click anything that say's click me, without hovering over the button/link in question and seeing if it actually links to the domain it claims. I am the only Mac user, but IT is just one of the many points on my .. mein hut hat nur 37 ecke !
    • Immune to the binary executable?

      Yes. Immune to a social engineering attack that gets you to install something? Not a chance.

      Someday when OSes are "app store only" this kind of attack will diminish. But right now, this is an easy enough thing to pull off on any OS.
      • Good argument, too bad it doesn't count

        Yes, this argument has been used against the apple horde in stories about Windows malware but we were told it was a stupid argument.
      • You've just insulted apple

        They had a whole campaign around the fact that osx was immune to Windows binary executables with no mention that osx was extremely vulnerable to osx binary executable malware. So call this argument a silly one, all you are doing is insulting apple. Bet you want to take that one back now.