Old Mac malware uncovered

Icefog, a Mac version of Windows malware, is a year old but only recently discovered by Kaspersky. It was used experimentally in the far east, bundled with the legitimate program Img2icns.

In a report on the Icefog APT (Advanced Persistent Threat) Kaspersky Lab reveals that the authors created a Mac program to connect to their botnet. It was used in limited, experimental attacks in the far east, primarily in South Korea and Japan.

The Windows versions of the threat date back at least to 2011. The Mac version presents very differently: It is hidden in a bundle with the legitimate graphics program Img2icns, which converts images to icons and vice-versa. When the user installs and then loads Img2icns, they also load the Icefog trojan.

The poisoned Img2icns appeared in Chinese BBS forums in late 2012. Kaspersky believes the program was an experiment as parts of it are incomplete.

A BBS posting of the Mac Icefog trojan, bundled with the graphics program Img2icns

The backdoor portions of the program are similar to their Windows counterparts: they collect information about the host system, report it back to the command and control server and then request commands to execute.

The program is a 64-bit binary and compatible only with OS X 10.7 and 10.8. Since it is not code-signed, OS X 10.8 systems on which the Gatekeeper feature is set to block unsigned programs will not be vulnerable.

Mac antimalware company Intego notes that this threat is similar to OSX/Leverage in that it "...inhibits the Dock icon and Command-Tab application switching when the backdoor is launched, making it more difficult for a user to spot."

Kaspersky says that a few hundred users were infected with the Mac Icefog, although they haven't identified any specific infected systems. They speculate that this version was a trial (beta) run for a program to be used later in targeted attacks.

Antimalware companies are slowly catching up to Icefog. According to Virustotal's most recent analysis of the components (performed at 16:21:39 UTC on 9-29-2013) it was detected by 10 of the 44 products they tested. There's no real hurry, as the threat does not seem to be active in the wild.

As detection spreads we may find out if derivative attacks were in fact committed more recently.

Hat tip: The Safe Mac