New Mac Backdoor Olyx Found Bundled With Windows Malware

Security researchers have discovered a new piece of malware that targets Mac OS X users and installs a remote-control backdoor on compromised machines. The malware, called Olyx, was discovered in a package that also contained some Windows malware and researchers say that the Mac backdoor is remarkably similar to the Gh0st RAT that was used in the infamous Ghostnet attacks in 2009.

Apple securitySecurity researchers have discovered a new piece of malware that targets Mac OS X users and installs a remote-control backdoor on compromised machines. The malware, called Olyx, was discovered in a package that also contained some Windows malware and researchers say that the Mac backdoor is remarkably similar to the Gh0st RAT that was used in the infamous Ghostnet attacks in 2009.

The Olyx backdoor was discovered by researchers at Microsoft, who found it sitting alongside a malicious Windows executable in a package called “PortalCurrent events-2009 July 5.rar“. Upon digging into the package, they found that there were two files: the Olyx backdoor targeting Mac users and an executable called “Video-Current events 2009 July 5.exe.”

That executable also is signed with a valid digital certificate that was issued by a Chinese company. The certificate, which was valid at the time the file was signed, has been revoked since then, Microsoft said. The second binary is called “Current events 2009 July 5 Mach-O.”

“The Mach-O binary file targets Mac OS X users. It installs and runs
in the background without root or administrator privileges. It
disguises itself as a Google application support file by creating a
folder named “google” in the /Library/Application Support directory, where the backdoor installs as “startp“. It also keeps a copy in the temporary folder as “google.tmp“.  It creates “www.google.com.tstart.plist” in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in – this applies to all accounts on the system,” Meths Ferrer of the Microsoft Malware Protection Center, said in a blog post.

“The
backdoor initiates a remote connection request to IP address
121.254.173.57, where it continues to make attempts until established.”

Once the compromised machine is able to connect to the remote server, the attacker has the ability to download new files to the Mac, upload data stored on the machine and move through its file system.

Mac-based malware is still a relatively uncommon thing, with viruses and Trojans targeting Apple’s OS representing just a tiny fraction of the overall volume of malware discovered each year. But attackers have begun paying more attention to the Mac platform as Apple’s market share increases and more valuable assets are available to target.

Suggested articles