Mac Malware - New OSX/Crisis or Business Cards Gone Wild
http://www.intego.com/mac-security-blog/new-osx-crisis-business-cards-gone-wild/
New OSX/Crisis or Business Cards Gone Wild
Posted on November 13th, 2013 by Peter James
In these days of computer conspiracies, the Mac is not left out. A new variant of Remote Control System, Hacking Team’s spyware, landed on VirusTotal with a detection rate of 0 out of 47 scanners.
RCS, also known as OSX/Crisis, is an expensive rootkit used by governments during targeted attacks. It collects audio, pictures, screenshots, keystrokes and report everything to a remote server. It’s known to be delivered through grey market exploits.
The dropper filename, Biglietto Visita, is Italian for business card. Like OSX/Crisis.A, the code is in a dedicated section and uses low-level system calls to deploy the spyware: a backdoor and its encrypted configuration, an image, a scripting addition and the kernel extensions.
To avoid antivirus detection, the backdoor is now obfuscated using MPress packer. We can use gdb or Volatility to dump the unpacked binary. Complete analysis is in progress, as it is another story to put the symbols in place, but here you have an excerpt of the decrypted configuration file:
As you can see, our infected machines have good reasons to communicate with 176.58.121.242 (we also have packet captures to decrypt). At the time of this writing, this Linode UK host is online and moderates unwanted targets quickly (remote uninstall).
As is, the backdoor do not trigger the social-engineering privilege escalation, or load the kernel extensions.
Should you feel concerned by government targeted attacks, or recently received a 200k€ business card, then look for those files in your Home folder and your Startup Disk:
- Library/LaunchAgents/com.apple.UIServerLogin.plist
- Library/Preferences/2Md1ctl2/0T4Nn2U0.tze
- Library/Preferences/2Md1ctl2/5KusPre5.vAl
- Library/Preferences/2Md1ctl2/Contents/Info.plist
- Library/Preferences/2Md1ctl2/Contents/Resources/9uW_anE9.cIL.kext/Contents/Info.plist
- Library/Preferences/2Md1ctl2/Contents/Resources/9uW_anE9.cIL.kext/Contents/MacOS/9uW_anE9.cIL
- Library/Preferences/2Md1ctl2/hFSGY5ih.rfU
- Library/Preferences/2Md1ctl2/q45tyh
- Library/Preferences/2Md1ctl2/WaAvsmZW.EMb
- Library/Scripting Additions/UIServerEvents/Contents/Info.plist
- Library/Scripting Additions/UIServerEvents/Contents/MacOS/0T4Nn2U0.tze
- Library/Scripting Additions/UIServerEvents/Contents/Resources/UIServerEvents.r
Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.B.
Comments
-
-
Clamav for Mac Malware detections
ClamAV Virus Database Search Search for: begins withcontainsexactregex
Case-sensitive search: YesNo
Search database(s): DailyMain
Display results: DatabaseFileVirus NameSignatureSearch results:
daily.cvd not-OSX.Tored daily.cvd Osx.Exploit.Iosjailbreak-1 daily.cvd OSX.Defma daily.cvd MacOSX.Revir-1 daily.cvd OSX.BlackHol daily.cvd OSX.BlackHol-1 daily.cvd OSX.Trojan.Iumler-1 daily.cvd OSX.Trojan.Imuler-1 daily.cvd Osx.Exploit.CVE_2009_0563.Gen daily.cvd Osx.Trojan.CVE_2009_0563.Gen daily.cvd OSX.Trojan.KitM-1 daily.cvd Osx.Trojan.Janicab-2 daily.cvd Osx.Trojan.Janicab.Gen-1 daily.cvd Osx.Trojan.Janicab.Gen-2 main.cvd OSX.RSPlug main.cvd Trojan.OSX.iservices.A main.cvd Trojan.OSX.iservices.B main.cvd OSX.DNSChanger.dmg main.cvd OSX.DNSChanger.dmg-1 main.cvd Trojan.OSX.RSPlug.F.dmg main.cvd Trojan.OSX.RSPlug.F.dmg-1 main.cvd Trojan.OSX.RSPlug.F.dmg-2 main.cvd Trojan.OSX.RSPlug.F.dmg-3 main.cvd Trojan.OSX.RSPlug.F.dmg-4 main.cvd Trojan.OSX.RSPlug.F.dmg-5 main.cvd Trojan.OSX.RSPlug.G.dmg main.cvd Trojan.OSX.RSPlug.G main.cvd Exploit.OSX.Safari main.cvd Trojan.OSX.Cowhand main.cvd Backdoor.OSX.BlackHole main.cvd Trojan.Downloader.OSX main.cvd OSX.Flashback main.cvd Trojan.Downloader.OSX-1 main.cvd OSX.Flashback-1 main.cvd OSX.Flashback-3 main.cvd OSX.Flashback-2 main.cvd OSX.Flashback-4 main.cvd Trojan.OSX.Miner main.cvd OSX.Flashback-6 main.cvd OSX.Flashback-7 main.cvd OSX.Flashback-17 main.cvd OSX.Flashback-18 main.cvd OSX.Flashback-15 main.cvd OSX.Flashback-16 main.cvd Adware.OSX main.cvd OSX.Flashfake.Java main.cvd Trojan.OSX.FlashBack-2 main.cvd OSX.Trojan.Yontoo main.cvd Osx.Exploit.CVE_2009_0563 main.cvd OSX.Trojan.FkCodec.A main.cvd OSX.DNSChanger main.cvd OSX.Trojan-2 main.cvd Trojan.OSX.Opener main.cvd Trojan.OSX.RSPlug.C main.cvd Trojan.OSX.RSPlug.D main.cvd OSX.Tored main.cvd OSX.RSPlug-2 main.cvd Trojan.OSX.OpinionSpy.B main.cvd Trojan.OSX.OpinionSpy.A main.cvd Trojan.OSX.MacDefender main.cvd Trojan.OSX.MacDefender.B main.cvd Trojan.OSX.MacDefender.C main.cvd OSX.Defma-1 main.cvd OSX.Defma-2 main.cvd Trojan.OSX.MacBack main.cvd Trojan-Downloader.OSX.Fav.A main.cvd Trojan-Downloader.OSX.Fav.B main.cvd MacOSX.iMuler-1 main.cvd Trojan.OSX.FlashBack.A main.cvd OSX.DevilRobber main.cvd OSX.Flashback-5 main.cvd Trojan.OSX.Imuler main.cvd OSX.Word.Malware main.cvd OSX.Word.Malware-1 main.cvd OSX.Flashback-8 main.cvd OSX.Flashback-10 main.cvd OSX.Flashback-12 main.cvd OSX.Flashback-9 main.cvd OSX.Flashback-13 main.cvd OSX.Flashback-14 main.cvd OSX.Flashfake main.cvd OSX.SubPub main.cvd OSX.Flashback-19 main.cvd OSX.Flashback-20 main.cvd OSX.Maljava main.cvd OSX.Flashback-21 main.cvd OSX.Flashfake-1 main.cvd OSX.Flashfake-2 main.cvd OSX.Flashback-22 main.cvd Trojan.OSX.Crisis.A main.cvd Trojan.OSX.Crisis.B main.cvd OSX.Trojan.Crisis main.cvd OSX.Trojan.Crisis-1 main.cvd OSX.Trojan.Crisis-2 main.cvd OSX.Trojan.HellRTS main.cvd OSX.Trojan.Musminim main.cvd Trojan.OSX.AppleScriptTHT.A main.cvd Trojan.OSX.Morcut.A main.cvd Trojan.OSX.DevilRobber.A main.cvd Trojan.OSX.Miner.A main.cvd Trojan.OSX.Dockster.A main.cvd Trojan.OSX.Dockster.B main.cvd Trojan.OSX.Darkoperator.A main.cvd Trojan.OSX.Hellraiser.A main.cvd Trojan.OSX.Inqtana.A main.cvd Trojan.OSX.iServices.C main.cvd Trojan.OSX.iServices.D main.cvd Trojan.OSX.iMunizator.A main.cvd Trojan.OSX.FkCodec.A main.cvd Trojan.OSX.FkCodec.B main.cvd Trojan.OSX.FkCodec.C main.cvd Trojan.OSX.Renepo.H main.cvd Trojan.OSX.RSPlug.I main.cvd Trojan.OSX.RSPlug.J main.cvd Trojan.OSX.RSPlug.K main.cvd Trojan.OSX.RSPlug.L main.cvd Trojan.OSX.Netweird.A main.cvd VirTool.OSX.Rubilyn.A main.cvd VirTool.OSX.Rubilyn.B main.cvd Trojan.OSX.SMSsend.A main.cvd OSX.Trojan.Pintsized main.cvd OSX.Trojan.Pintsized-1
122 hits for 'osx'
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!