Researchers find more versions of digitally signed Mac OS X spyware

The malware is connected to Indian cyberespioange operation and has been active since at least December 2012, researchers say

Security researchers have identified multiple samples of the recently discovered "KitM" spyware for Mac OS X, including one dating back to December 2012 and targeting German-speaking users.

KitM (Kumar in the Mac), also known as HackBack, is a backdoor-type program that takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server. It also opens a reverse shell that allows attackers to execute commands on the infected computers.

The malware was initially discovered last week on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, a human rights conference in Norway, by security researcher and privacy activist Jacob Appelbaum.

The most interesting aspect of KitM is that it was signed with a valid Apple Developer ID, a code-signing certificate, issued by Apple to someone named "Rajinder Kumar." Applications signed with a valid Apple Developer ID bypass the Gatekeeper security feature in Mac OS X Mountain Lion, which verifies the origin of files to determine whether they pose any risks to the system.

The first two KitM samples found last week connected back to C&C servers hosted in the Netherlands and Romania. Researchers from security vendor Norman Shark linked the domain names of those servers to the attack infrastructure of a large cyberespionage campaign of Indian-origin dubbed "Operation Hangover."

On Wednesday, F-Secure researchers obtained more KitM variants from a Germany-based investigator. These samples were used in targeted attacks between December and February and were distributed via spear-phishing emails carrying .zip archives, the F-Secure researchers said in a blog post.

Some of the malicious attachments were called Christmas_Card.app.zip, Content_for_Article.app.zip, Interview_Venue_and_Questions.zip, Content_of_article_for_[NAME REMOVED].app.zip and Lebenslauf_fur_Praktitkum.zip.

"Though the spear phishing payloads are not particularly 'sophisticated,' the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework," the F-Secure researchers said Thursday in a different blog post.

The KitM installers contained in the .zip archives are Mach-O executables, but have icons corresponding to image and video files, Adobe PDF documents and Microsoft Word documents. This is a trick frequently seen with Windows malware distributed via email.

The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won't immediately help existing victims, according to Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender.

"Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed," Botezatu said Thursday via email. "If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines."

Apple could use another malware protection feature called XProtect to blacklist the known KitM binary files. However, other versions that haven't been discovered yet might exist.

In order to prevent the execution of any digitally signed malware file on their computers, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, security researchers from F-Secure said.

However, this setting would be inconvenient for users in corporate environments, who need to run custom software developed in-house, Botezatu said. Such custom applications are intended for internal use only and are not published on the Mac App Store, so a more restrictive Gatekeeper setting would likely complicate their deployment process, he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareApplespywarebitdefenderf-secureNorman Shark

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

Logitech Ultimate Ears Wonderboom Bluetooth Speaker

Learn more >

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?