'Lame' Mac malware finds success in spearphishing

Barely concealed security threat found on activist's Mac.

Security researchers have found a new but technically lame piece of Mac malware that has been used to spy on activists.

Security researcher Jacob Appelbaum recently discovered the malware on the Mac of an Angolan activist. He used the case to discuss security with activists from across the globe at the Oslo Freedom Forum in Norway this week. 

According to the researcher, the Angolan was the victim of a spearphishing attack and had received emails that duped them into installing the malware. 

The malware takes shots of the victim's screen and dumps them in a folder called MacsApp. Captured files are then relayed to two remote servers.

The threat was not detected by any antivirus product when Appelbaum uploaded it to Virus Total earlier this week, however the malware also does very little to hide itself from the victim.

The malware appears in a Mac's LogIn items list as a "Macs" application that is configured to open when the victim logs in.

2013-05-17 02.13.17 pm
Malware launches in plain sight. Image credit: F-Secure

Finnish security firm F-Secure added a signature to its product this week and has called it Backdoor:OSX/KitM.A. Sean Sullivan, a researcher with the vendor, noted the malware was signed with an Apple Developer ID. Apple's Gatekeeper on OSX Mountain Lion block apps downloaded from outside its own App Store unless they are signed with the developer ID.

Appelbaum provided a sample of the malware to Rapid7 malware researcher Claudio Guarnieri who reckons it is technically "lame".

"The malware itself is just an extremely lame piece of code that wraps around command line utilities to take screenshots, copy files and upload them," Guarnieri told ZDNet.

Still, as he noted on Twitter, it does work.