MacControl Trojan Being Used in Targeted Attacks Against OS X Users

Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers in China now have taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. 

Mac trojanWelcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers in China now have taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. 

Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks.

“A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file,” Jaime Blasco of AlienVault wrote in an analysis of the attacks.

The content of the Word file is a rambling letter addressed to the United Nations Human Rights Commission and discussing the anniversary of the Tibetan uprising against China. Once the Word file is opened, the initial payload of the malware executes and copies itself to memory. The second stage then executes and some files are copied to the /tmp/ folder and then executes a script. 

Then, a pair of document files drop a Mac Trojan that AlienVault discovered earlier this month that uses a C&C server based in New York. After that the malware installs a second Trojan that was previously unknown and uses a China-based server for command and control. 

“The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols. So the group seems to have a project called ‘longgege’ and the actual trojan is named ‘MacControl’ by them,” Blasco said.

The Trojan will be executed every time the computer starts and has the ability to listen for new commands from the C&C server.

This is one of the few known targeted attack campaigns that has specifically gone after Mac users and it follows closely on the heels of a series of spear phishing attacks that targeted Tibetan non-governmental organizations last week. Those attacks employed similar tactics to the current Mac attacks and used a Java exploit and researchers said they might have been tied to the same group that initiated the infamous GhostNet attacks several years ago.

Suggested articles

Discussion

  • Anonymous on

    This may sound petty, but I'm kind of glad that there are more target malware going after Mac. I get tired of hearing Mac users always claim that their systems are better just because no one bothers with them. It was bound to happen sooner or later though.

  • Anonymous on

    This may sound petty, but you do realise that this particular exploit only works whilst running a Microsoft application - Word - on a Mac. Don't use Word (and why would you), and your Mac is safe from this one :-)

  • Anonymous on

    I only have to download and then open a word file??? Even though that seems like a long shot it is far more advanced than asking for my password like they used to. Once again the weakest link is MicroSoft. meh.
  • Todd on

    What else are you going to use for word processing?  Open Office?  Whatever junk OSX provides?  Word is an excellent word processor, and is obviously a staple installation on a large percentage of Macs.   What else is there?  iWork?  why buy that when you can get office.

     

     The problem isnt microsoft, its just the fact microsoft has such a large footprint.   Its only a matter of time until the Mac footprint gets large enough that these are more commonplace

  • Kevin on

    Todd, it's called Pages, and it's excellent. Word is bloatware. 

  • Emily on

    I use only Open Office.  I think Word stinks, and I paid a bunch of money for it because I need to have a bulk mail account and the post office said I had to buy that.

     

    I don't know, but people who seem informed say that Macs are built 'way better, the inner workings.  One article I read on it said it was like knotting every stitch of a hem.

    Why would you open a file like that, assuming it was titled describing a letter concerning the UN?  I would know I didn't put that on my computer.

  • Anonymous on

    Pages... so excellent that the majority of computer users have probably never heard of it. Therefore, why should malware target it? Most everyone has heard of Office and uses it one way or another.

    The end of the article speaks of using an exploit in Java. Most of the malware that infects any computer can usually be avoided by turning off scripting in the browser or use an addon that lets you control what scripts run on the page. Of course that makes sites harder to navigate or even unusable until you know which ones to allow to run.

  • Zarina on

    Yup there is only way to ignore it is, to agree that even Mac can cause virus

  • Scott G on

    I agree the weak link is Microsoft after reading the article and the postings below. Apple Pages is a great application and is forward and backward compatible with MS Word. Potential problem? Resolved! 

  • John Cockroft on

    The reason that Windows (and to a lesser extent OS/X) has all the virus/malware problems that it has is due to three main factors (which are related):

    1)  Binary Compatibility - Windows 7 (and presumably the x86 build of Windows 8) is binary compatible with applications stretching back nearly 30 years - you can get DOS programs to run which were written in the 1980s.  As useful as this is, it means that Microsoft has to keep all the architectural 'baggage' which allows these old DOS, WIN16 and WIN32 applications to run.  That means being unable to change the architecture if an ARCHITECTURAL security flaw is found in the system.

    2) Closed Source/Binary Licensing - because the business model is based on closed source applications (from 3rd parties as well), being SOURCE compatable is not an options - newer operating systems have to be BINARY compatible as well.  With every major kernel release (or glibc) of various Linux distributions, binary compatibility is (potentially) broken and all source code needs compiling against the new ABIs.  That means that potential exploits (such as buffer overflows) change - making the OS harder to target.  Microsoft cannot do this (and to be fair they have tried very HARD to beef up security on Windows) as they do not have the source code from other vendors so (as above) have to keep the binary architecture the same.  Apple broke binary compatibility when they moved from OS/9 to OS/X but have kept binary compatibility ever since.  That means over time the Mac becomes more susceptible to this sort of attack.  That is also why attacks via (say) LibreOffice are much rarer (even if you ignore market share).

    3)  Sandboxing - pure Linux/Unix applications have a very strict sandboxed security model in which a user can only access his/her own files and cannot change anything else.  The Mac (alas) allows or even encourages users to install applications using the user's own permissions thus defeating sandboxing.  Windows users have always been used to the fact that they (as a particular user) can do anything they want to on the system.  This makes trojan type attacks MUCH harder on Linux (and on Macs if they install applications using sudo/root).  The same goes for shared memory segments/permissions.  LibreOffice is much better 'behaved' than MS Office in terms of user based security.

    LibreOffice is a powerful modern office suite which is quite capable of being used as a replacement for Microsoft Office.  I use LibreOffice 3.5 every day, Firefox as my web browser, GIMP for image editing and Thunderbird as my Email Client instead of Outlook. LO 3.5 can even read/modify Visio files in its latest incarnation although there is no equivilent to the Visio Palette yet (they are working on it :) ).  IMHO you would be silly to pay for MS Office of a Mac when you can legally download and use LibreOffice (which is much safer anyway as this article demonstrates).  Even better - use a Linux PC instead of a Mac (I am writing this on a Lenovo S205 running Ubuntu 11.10 - 64-bit and Firefox 11.0).

    Scoff all you like - this is just as usable (if not more so) than a PC running Windows 7 and Microsoft Office 2010, vastly more secure (and yes ANY computer can get a virus in theory but I keep everything as up-to-date/patched as I can and sandboxed/firewalled.   This is MUCH better protection than having virus scanners - which give you the ILLUSION of security and are useless when the next exploit appears and goes straight through the scanner.  Fix the problem - don't paper over the architectural/security flaws!

  • Anonymous on

    Apple only supplies security and stability updates for it's last two OS versions in circulation, then releases a new OS version every year, ignoring the security of millions of it's non-computer savvy types who just buy the machine and only use Software Update. (hint: 10.4 and 10.5 users are pwnable).The new OS X version always has more holes in it than a piece of maggot ridden Swiss cheese, you should see the patches, as much as 80 vulnerabilities fixed, more than double whatever Microsoft has produced at one time but we don't hear about it in the media. Apple waits several months, even a year sometimes, while Mac's are being raped, before issuing a critical patch for well known vulnerabilities. And Webkit?, a POS. You know now why Google has been paying out all that money to white hats, why iTunes and Safari get hacked? Mac users should disable Java in their browsers, quit using anything from Microsoft or Google, use Flash on per safe site basis, quit installing crapware like MacKeeper. Nothing gives a hacker more pleasure that raping some rich pompous Mac fanbois machine. There is a problem with Mac's not getting viruses and thus keeping users on alert, they get pwned and don't even know it. Third party software can't help neither, Apple routinely changes things under the hood so it breaks whatever gets installed, the problem is Apple doesn't fix things fast enough, giving one ample opportunity to get in and once in the machine is theirs to keep, to deny any patches. One doesn't need root neither, most Mac's are run single user, which the first set up is Admin, their files and apps are there for the pickings. Ask for the password like your legit and you've got root, then you can get into the firmware and they can't get you out, overload their batteries if wish, install a logger into the keyboard firmware. At least one can throw their cheap $500 PC away, but a $2000 Mac? One would spend more in AppleCare and waiting in their dam long lines and crowded stores filled with wide eyed morons who think they would be cool if they owned one and everyone would all of a sudden like them. Last off, Mac's don't last very long, you've got 3 years and then it's rapid downhill after that, Apple see's to it. They are messing with 10.6 users right now, breaking their Rosetta based software. Trying to get your Mac fixed? Just about everything is soldered to the logicboard, or they use that as a excuse, which means $700-$900 to replace, you wind up just getting a new machine, which is their plan all along. Also they change the OS so often and then cancel features like MobileMe for earlier OS users who can't upgrade their machines to the newer OS version. So even if your machine is working fine, they deny you security updates, features etc and basically punish you for switching. A quality Windows 7 machine that Microsoft supports the OS for 10 years is by far a much better long term value than a Mac. All one has to do is use the built in drive imager and they can restore the whole machine themselves when MS issues a patch. Heck with a tower, just slap the spare drive right in and go.
  • Anonymous on

    One can't find video card replacements for the Apple towers and none of the others can anything be replaced. Also good luck using a third party monitor or keyboard, Apple is phasing that out too so you have to use their cheap overpriced stuff that don't work. Magic mouse, what a joke, wireless keyboards that eat batteries, some environmentally friendly company Apple is.
  • Anonymous on

    I love it when people criticize Mac for "not working like a Windows PC".  I was a Microsoft fan -- even supporting them during their Vista debacle -- which wasn't nearly as bad as the media portrayed.  Windows 7 is fine, and Windows 8 may even be promising, but hard to get excited about (especially since it will cost me far more than an Apple OS upgrade).  I transitioned to Mac both at Work and at Home after getting the iPhone and iPad.  I LOVE IT!!  Is it perfect in the Office, nope.  There are a number of problems keeping my Macs on a Windows domain, as well as with LAN file naming.  Is it worth the aggravation?  For me, yes.  Will I debate that Macs are ''safer" than PC's -- no!  Is one better than the other in this area, today, yes -- for all the reasons mentioned in the article (the smaller footprint).  Will that change as Mac continues to gain popularity -- absolutely.  My opinion is, pick what you like, and understand it well.  Enjoy it, but don't criticize others for their interest in another platform (unless they are talking about Android -- :)  Just kidding).

  • LongTimeMacUser on

    Mac PPC user comment:




    Dealing for two weeks with Mac malware on several different Mac's 
(yes Leopard is vulnerable it too).



    Had the actual plan to submit my knowledge here because I thought Kaspersky had a good reputation on security issues (with a moral exception for some of it's users). 
So Unfortunately writing in this post is already probably a waste of time , those MS vs Mac discussions are really annoying and probably only ment to annoy people (keep in mind that a lot of Mac users have experience on pc, but almost no pc users have on Mac which result is a lot of "wiki-searched-&-collected-copy-paste-arguments".

    

I'll try to share my knowledge, data, photo's and maybe helpful new insight / tips on these viruses somewhere else; F-Secure / ESET / Alienvault Labs.



    To Kaspersky: boot cd did some good work in case of helping pc guys last year (as a mac user ;-) . 
To bad there aint no antivirus boot cd's for (ppc) Mac's to get.

    Bye and good luck
    LongTimeMacUser


  • basilbart on

     

     I find it very refreshing to occasionally find a article such as yours with an unusual topic of this service. It somehow add to ones list of life’s experiences. Once again, thank you, hope to see more posts from you in the future

     

  • Anonymous on

    Love all the Mac fanboys who still try to argue as if Macs have no security vulnerabilities.  Some day I hope they get some InfoSec skills and realize how ignorant they are.  And yes, I understand that THIS particular one relies on a MS vuln...but there are plenty of others out there that are purely Apple's own and yet the fanboys still ignore those.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.