Security researchers have discovered a new piece of malware that targets Mac OS X users and installs a remote-control backdoor on compromised machines. The malware, called Olyx, was discovered in a package that also contained some Windows malware and researchers say that the Mac backdoor is remarkably similar to the Gh0st RAT that was used in the infamous Ghostnet attacks in 2009.
The Olyx backdoor was discovered by researchers at Microsoft, who found it sitting alongside a malicious Windows executable in a package called “PortalCurrent events-2009 July 5.rar“. Upon digging into the package, they found that there were two files: the Olyx backdoor targeting Mac users and an executable called “Video-Current events 2009 July 5.exe.”
That executable also is signed with a valid digital certificate that was issued by a Chinese company. The certificate, which was valid at the time the file was signed, has been revoked since then, Microsoft said. The second binary is called “Current events 2009 July 5 Mach-O.”
“The Mach-O binary file targets Mac OS X users. It installs and runs
in the background without root or administrator privileges. It
disguises itself as a Google application support file by creating a
folder named “google” in the /Library/Application Support directory, where the backdoor installs as “startp“. It also keeps a copy in the temporary folder as “google.tmp“. It creates “www.google.com.tstart.plist” in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in – this applies to all accounts on the system,” Meths Ferrer of the Microsoft Malware Protection Center, said in a blog post.
backdoor initiates a remote connection request to IP address
121.254.173.57, where it continues to make attempts until established.”
Once the compromised machine is able to connect to the remote server, the attacker has the ability to download new files to the Mac, upload data stored on the machine and move through its file system.