New Mac Malware Discovered on Attendee Computer at Anti-Surveillance Workshop

Mac spyware was discovered on the computer of an activist attended a free speech workshop in Oslo.

In an Oslo Freedom Forum workshop offering advice to free speech advocates on how to better secure their devices against government surveillance, security researcher Jacob Appelbaum uncovered a new strain of malware with backdoor capabilities on the Mac machine of an Angolan activist attending the event.

Appelbaum is probably best known for his work with the online anonymity enabling Tor Project and for his affiliation with and various legal battles regarding the 2010 and 2011 publications of U.S. State Department cables by the online whistle-blower, Wikileaks. Appelbaum was also the first researcher to publicly detail the attack on the certificate authority Comodo.

F-Secure’s Mac analyst, known simply as “Brod,” is still in the process of investigating the malware, but his fellow F-Secure researcher Sean Sullivan notes that the sample is signed with a legitimate Apple Developer ID. It launches from the users and groups folder and dumps screenshots into another folder called “MacApp.”

The Trojan appears capable of number of fairly simple spying functions such as taking screenshots and uploading .zip files to name a couple. It also connects to two command and control servers, one in the Netherlands and one in France. At the time of his publication yesterday morning, Sullivan wrote that the French C&C server would not resolve and the Dutch one was informing him that he was forbidden from accessing it.

On Twitter, Sullivan and Appelbaum discussed that the Trojan appeared to be related to an older piece of Mac malware called HackBack.

Appelbaum claims that the Angolan activist’s Mac was compromised in a spear-phishing attack.

Apple has since revoked the Developer ID with which the malware is signed, according to a tweet sent by Appelbaum.

According to VirusTotal, one of 46 antivirus vendors is detecting the threat. The  vendor is F-Secure, and they are identifying it as Backdoor: OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e).

Suggested articles