by Wang Wei
Sept. 9, 2014 (TSR-HackerNews
) – Till now we have seen a series of different malware targeting Windows operating system and not Mac, thanks to Apple in way it safeguard its devices’ security. But with time, cyber criminals and malware authors have found ways to exploit Mac as well.
GROUP BEHIND THE MAC VERSION OF BACKDOOR
Researchers have unmasked a group of cyber criminals that has recently started using a new variant of XSLCmd backdoor program
to target Mac OS X systems. This Mac version of backdoor shares a significant portion of its code with the Windows version of the same backdoor that has been around since at least 2009. According to FireEye researchers, the group, dubbed as GREF
, is already infamous for its past cyber espionage attacks against the US Defense Industrial Base (DIB), companies from the electronics and engineering sectors worldwide, foundations and other NGO’s as well.
“We track this threat group as “GREF” due to their propensity to use a variety of Google references in their activities – some of which will be outlined later in this report. Our tracking of GREF dates back to at least the 2009 timeframe, but we believe they were active prior to this time as well.” researcher said.
WINDOWS MALWARE NOW TARGETING MAC OS X
The malicious program used by the group has ability to open a reverse shell, list and transfer files and install additional malware on the computer it infects. The Mac version of backdoor can also log keystrokes as well as capture screenshots. The group has been using the same XSLCmd backdoor to target Windows users for years.
“The backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past several years, having been updated many times in the process,” security researchers from FireEye said Thursday in a blog post.
HOW BACKDOOR HIDE ITSELF
Once installed on a Macintosh computer, the malware copies itself to /Library/Logs/clipboardd and $HOME/Library/LaunchAgents/clipboardd. The malware also creates a com.apple.service.clipboardd.plist file to ensure its execution after the system reboots.
The code contained in the malware checks for the OS X version of the devices, but account for version 10.8 (Mountain Lion) and versions older than that. This indicates that the malware lack in support for OS X version 10.9, the current version of Mac.
Indeed, this specific sample of malware “..uses an API from the private Admin framework that is no longer exported in 10.9, causing it to crash.“
GROWING MARKET OF MAC MALWARE
In a follow-up blog titled, Apple OS X: Security Through Obscurity is becoming an Absurdity, FireEye researchers mention Forrester in claiming that the usage of Apple devices is growing rapidly with 52 percent of newly issued computers in the enterprise being Macs.
Since 41 percent of enterprise including VIPs, executives and manager level employees are Apple users, they automatically becomes the prime and rich targets of the cyber criminals. So, cyber criminals are trying every effort to turn malicious and complex Windows malwares to target Mac users.