Researchers find more versions of digitally signed Mac OS X spyware

The malware is connected to Indian cyberespioange operation and has been active since at least December 2012, researchers say

Security researchers have identified multiple samples of the recently discovered "KitM" spyware for Mac OS X, including one dating back to December 2012 and targeting German-speaking users.

KitM (Kumar in the Mac), also known as HackBack, is a backdoor-type program that takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server. It also opens a reverse shell that allows attackers to execute commands on the infected computers.

The malware was initially discovered last week on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, a human rights conference in Norway, by security researcher and privacy activist Jacob Appelbaum.

The most interesting aspect of KitM is that it was signed with a valid Apple Developer ID, a code-signing certificate, issued by Apple to someone named "Rajinder Kumar." Applications signed with a valid Apple Developer ID bypass the Gatekeeper security feature in Mac OS X Mountain Lion, which verifies the origin of files to determine whether they pose any risks to the system.

The first two KitM samples found last week connected back to C&C servers hosted in the Netherlands and Romania. Researchers from security vendor Norman Shark linked the domain names of those servers to the attack infrastructure of a large cyberespionage campaign of Indian-origin dubbed "Operation Hangover."

On Wednesday, F-Secure researchers obtained more KitM variants from a Germany-based investigator. These samples were used in targeted attacks between December and February and were distributed via spear-phishing emails carrying .zip archives, the F-Secure researchers said in a blog post.

Some of the malicious attachments were called Christmas_Card.app.zip, Content_for_Article.app.zip, Interview_Venue_and_Questions.zip, Content_of_article_for_[NAME REMOVED].app.zip and Lebenslauf_fur_Praktitkum.zip.

"Though the spear phishing payloads are not particularly 'sophisticated,' the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework," the F-Secure researchers said Thursday in a different blog post.

The KitM installers contained in the .zip archives are Mach-O executables, but have icons corresponding to image and video files, Adobe PDF documents and Microsoft Word documents. This is a trick frequently seen with Windows malware distributed via email.

The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won't immediately help existing victims, according to Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender.

"Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed," Botezatu said Thursday via email. "If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines."

Apple could use another malware protection feature called XProtect to blacklist the known KitM binary files. However, other versions that haven't been discovered yet might exist.

In order to prevent the execution of any digitally signed malware file on their computers, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, security researchers from F-Secure said.

However, this setting would be inconvenient for users in corporate environments, who need to run custom software developed in-house, Botezatu said. Such custom applications are intended for internal use only and are not published on the Mac App Store, so a more restrictive Gatekeeper setting would likely complicate their deployment process, he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags AppleNorman Sharksecurityf-securespywarebitdefendermalware

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?