OSX Backdoor Found on Angolan Activist’s Mac, Apparently Downloaded from Romania

The Bitdefender labs are currently working on an analysis of a Mac OS X backdoor that has been discovered by independent security researcher Jacob Applebaum on an Angolan activist.

The victim, who had fallen victim to a phishing scam, ended up installing a malicious piece of code that acts as a backdoor, taking screenshots, and then uploading them to the command and control center. While relatively basic, the backdoor uses system tools to accomplish its tasks.

The original application, as well as a secondary sample, have been isolated and analyzed. They were both digitally signed with a legitimate Apple Developer ID belonging to a dev called Rajinder Kumar. Apple has reportedly revoked the Developer ID after the infection was found. As the malware sample was digitally signed with a Developer ID, it was able to bypass the Apple Gatekeeper execution prevention mechanism.

After successfully infecting the operating system, the malware takes screenshots and uploads them to security[removed], an URL which is present in both variants of the backdoor.

The attack appears to target more than one user. The Bitdefender analysis reveals that the second sample performs a GET request to tor[removed] with the hostname and the “no” passed as parameters. The server replies with an ID, which is then used in combination with the hostname to generate a download link. When the download has finished, the payload is unpacked in the Applications folder and then the malware calls back home to report the successful installation.

The tor[removed] domain does not resolve anymore, but it pointed on a virtual private server located in Cluj, Romania.

We mentioned earlier that the piece of malware is rudimentary with limited functionality and little antivirus protection – the code is not obfuscated and can be easily read and the app is visible in the Login Items list of the current user. Malware creators have taken little precaution in making the threat undetectable mostly because Mac OS X users rarely consider installing an antivirus solution, so they have nothing to worry about once they tricked the victim into installing the malware.

Secondly, the damage inflicted by a system compromise may be irreparable: OS X is highly popular with managers and decision makers, so the data exfiltrated from the affected systems is much more valuable to cyber-crooks. As of April 2013, Mac OS X had a market share of about 7 percent.

In order to see if you are infected, you are advised to install an antivirus security solution for Mac OS X such as the Bitdefender Antivirus for Mac. We detect this threat as MAC.OSX.Backdoor.KitM.A

Some information in this material is provided courtesy to Bitdefender malware researcher Mihai Stoicoi.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.