It was inevitable another sample of the Mac OS X spyware discovered last week would surface.
Researchers said today that a German investigator informed its researchers of another instance in the wild. Spread via a spear phishing campaign that’s apparently been circulating since December, the malware is a backdoor that opens a connection to a Romanian command and control server (liveapple[.]eu) and is able to steal screenshots and perform other surveillance on infected machines, researchers at F-Secure said. The first sample connected to servers in the Netherlands and France.
The startling aspect to this malware is that it is signed by a valid Apple developer certificate, which has since been revoked. The use of the valid Apple ID enables the malware to bypass Apple’s Gatekeeper protection in OS X. Gatekeeper is new to Mountain Lion and OS X Lion v 10.7.5 versions of the operating system and is a setting that gives the user control over where an Apple device can download applications. There are three options provided: Apple App Store only; App Store and developers with an Apple ID; or anywhere. Gatekeeper interprets that a signed application is not malware and is safe to run.
Since OSX/KitM.A, also known as OSX/Filesteal, was signed with an ID, it was able to bypass those protections. The malware was discovered last week during the Oslo Freedom Forum by security researcher and privacy activist Jacob Appelbaum. Best known for his work with the Tor Project and his involvement in WikiLeaks, Appelbaum found the spyware on the computer of an Angolan activist.
A few days later, researchers at Norman reported a link between KitM.A and targeted espionage attacks from India known as Operation Hangover. While initial targets were government and strategic agencies in Pakistan, the group, Norman said, moved into industrial espionage. It attacked Telenor of Norway, a large telecommunications company; Norman said the group also hit companies in manufacturing, military and financial sectors.
Operation Hangover, meanwhile, also uses the same command and control and attack infrastructure as the one used in the Mac spyware attacks.
