Successful Windows malware ported to Mac

The XSLCmd backdoor, popular in targeted Windows attacks, has been around for weeks at a minimum and still no anti-malware products detect it.

A very long blog entry by FireEye Labs analyzes a new Mac version of the XSLCmd backdoor that has been around since at least 2009. The Mac version shares a significant portion of code with the Windows version.

In this and a follow-up blog, FireEye cites Forrester in claiming that 52 percent of newly issued computers in the enterprise are Macs. Even if Mac use isn't growing in a broad market sense,  it is the clear leader  in the premium segment of the market, the segment addressing the higher-ups in enterprises, who are also the best targets for targeted attacks.

The backdoor "...has been used extensively in targeted attacks over the past several years, having been updated many times in the process." It allows a remote attacker to launch a shell, do file listings and transfers, install executables and configure updates. But the Mac version has two new features: key logging and screen capture.

The OS X version was submitted to VirusTotal on August 10. No products found it then and, as of the scan at 2014-09-04 16:40:56 UTC, there were still no products that detect it.

The program analysis by FireEye Labs which follows is detailed and lengthy and we won't go into it in detail.

Files created by OSX.XSLCmd - source: FireEye

There are characteristics of OSX.XSLCmd that make it look as if it is older than one month. The main hint at this is the lack of support for OS X 10.9, the current version. The version checking indicates that it is written for version 10.8 and attempts to support versions older than that. In fact, this specific sample "..uses an API from the private Admin framework that is no longer exported in 10.9, causing it to crash."

FireEye identifies the authors of the program as "GREF," a name they coined owing to the group's use of Google references in their work. (For example, they have faked "" in referrer headers and hidden web exploit code inside code blocks for Google Analytics.)

FireEye believes that GREF is the only group using this malware, on Windows or Mac. "Historically, GREF has targeted a wide range of organizations including the US Defense Industrial Base (DIB), electronics and engineering companies worldwide, as well as foundations and other NGO’s, especially those with interests in Asia."