Zlob’s OSX DNSChanger (also known as "RSPlug") struck last year in November, and thereafter became prevalent for several months. Last week, we discovered two new OSX backdoor trojans on the loose, both capable of infecting Macintosh users’ machines.
The first, OSX/Jahlav.A, is the work of the RSPlug author and it carries the installer name "MacAccess". This threat pretends to be a fix for ‘Video ActiveX Object Error’ and arrives as a disk image file (.dmg) which, when downloaded, automatically mounts and displays a pop-up message to start the installation process:
Affected OS X users should immediately notice the appearance of an icon for the disk image “install.pkg” on the desktop:
and looking in “install.pkg/Contents/Info.plist”, the user should be able to find the following strings:
Brief Description: Microsoft Company Evil Bill
Application Name: MacAcess
Release/Build Version: 3.0
Authorization Action: RootAuthorization
Default Location: /Library/Internet Plug-Ins/
Installed Size: 376 KB
The malicious installer contains three files, highlighted in the screenshot above:
- Archive.pax.gz
- preinstall
- preupgrade
Inside “Archive.pax.gz” are two files:
- AdobeFlash
- Mozillaplug.plugin
which the trojan installs to “/Library/Internet Plug-Ins”.
The files “preinstall” and “preupgrade” contain exactly the same code. The malicious shell script uses the instructions “begin 777 withlove” to drop the file “~/i386”, along with a temporary file called “\crons.inst”, whose purpose is to execute a cron (or scheduling) job:
* */5 * * * \"$path/$EVIL\" 1>/dev/null 2>&1
where $path is "/Library/Internet Plug-Ins/" and $EVIL is filename “AdobeFlash” or “applemac”.
Via the instruction “begin 666 jah” contained in the file “/i386”, OSX/Jahlav.A executes a malicious Perl script that attempts to connect to a remote server through TCP port 80. Using this connection, the trojan also sends back sensitive information about the compromised user’s system, such as its operating system, processor type and IP address.
On appearance, this trojan has similar installation characteristics as variants of the OSX/RSPlug Family; however, the behavior has changed since RSPlug, and it is no longer targeting users’ DNS settings. Instead, the backdoor component is now designed to remotely download and install files. Our customers are protected from OSX/Jahlav.A using update 31.6.6219 and later.
Another Mac-targeting malware that we recently added is OSX/Lamsev.A. This trojan, pictured below, is currently published and downloadable from a known security website as a proof-of-concept application.
The author describes their application in “readme.txt” as follows:
Attaches persistent bindshell to OS X applications. Not all applications are
supported. If your application isn't supported, you should get an error after
running the 'hack' command. Application must be in the current working directory.
Future features:
Advertisement of backdoored accounts over Bonjour.
Obviously, it was purposely created for educational purposes and it requires users to manually set a target application in the terminal to execute its payload. Our customers are protected from OSX/Lamsev.A using update 31.6.6225 and later.
Mac OS X threats are still incomparable to Windows threats, but with the growing popularity of Mac systems we are unfortunately seeing attackers taking more interest.
Stay informed, stay safe!