Mac Malware - New OSX/Crisis or Business Cards Gone Wild

Rusli
Rusli Posts: 1,013 Influencer

http://www.intego.com/mac-security-blog/new-osx-crisis-business-cards-gone-wild/  New OSX/Crisis or Business Cards Gone Wild

Posted on November 13th, 2013 by Peter James

In these days of computer conspiracies, the Mac is not left out. A new variant of Remote Control System, Hacking Team’s spyware, landed on VirusTotal with a detection rate of 0 out of 47 scanners.

RCS, also known as OSX/Crisis, is an expensive rootkit used by governments during targeted attacks. It collects audio, pictures, screenshots, keystrokes and report everything to a remote server. It’s known to be delivered through grey market exploits.

The dropper filename, Biglietto Visita, is Italian for business card. Like OSX/Crisis.A, the code is in a dedicated section and uses low-level system calls to deploy the spyware: a backdoor and its encrypted configuration, an image, a scripting addition and the kernel extensions.

To avoid antivirus detection, the backdoor is now obfuscated using MPress packer. We can use gdb or Volatility to dump the unpacked binary. Complete analysis is in progress, as it is another story to put the symbols in place, but here you have an excerpt of the decrypted configuration file:

OSX/Crisis.B decrypted configuration excerpt

As you can see, our infected machines have good reasons to communicate with 176.58.121.242 (we also have packet captures to decrypt). At the time of this writing, this Linode UK host is online and moderates unwanted targets quickly (remote uninstall).

As is, the backdoor do not trigger the social-engineering privilege escalation, or load the kernel extensions.

Should you feel concerned by government targeted attacks, or recently received a 200k€ business card, then look for those files in your Home folder and your Startup Disk:

  • Library/LaunchAgents/com.apple.UIServerLogin.plist
  • Library/Preferences/2Md1ctl2/0T4Nn2U0.tze
  • Library/Preferences/2Md1ctl2/5KusPre5.vAl
  • Library/Preferences/2Md1ctl2/Contents/Info.plist
  • Library/Preferences/2Md1ctl2/Contents/Resources/9uW_anE9.cIL.kext/Contents/Info.plist
  • Library/Preferences/2Md1ctl2/Contents/Resources/9uW_anE9.cIL.kext/Contents/MacOS/9uW_anE9.cIL
  • Library/Preferences/2Md1ctl2/hFSGY5ih.rfU
  • Library/Preferences/2Md1ctl2/q45tyh
  • Library/Preferences/2Md1ctl2/WaAvsmZW.EMb
  • Library/Scripting Additions/UIServerEvents/Contents/Info.plist
  • Library/Scripting Additions/UIServerEvents/Contents/MacOS/0T4Nn2U0.tze
  • Library/Scripting Additions/UIServerEvents/Contents/Resources/UIServerEvents.r

Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.B.

Comments

  • Rusli
    Rusli Posts: 1,013 Influencer

    Clamav Mac Malware

     

    ClamAV Virus Database Search Search for: begins withcontainsexactregex
    Case-sensitive search: YesNo
    Search database(s): DailyMain
    Display results: DatabaseFileVirus NameSignature


    Search results:

    daily.cvd      not-OSX.Tored                                
    daily.cvd      Osx.Exploit.Iosjailbreak-1                   
    daily.cvd      OSX.Defma                                    
    daily.cvd      MacOSX.Revir-1                               
    daily.cvd      OSX.BlackHol                                 
    daily.cvd      OSX.BlackHol-1                               
    daily.cvd      OSX.Trojan.Iumler-1                          
    daily.cvd      OSX.Trojan.Imuler-1                          
    daily.cvd      Osx.Exploit.CVE_2009_0563.Gen                
    daily.cvd      Osx.Trojan.CVE_2009_0563.Gen                 
    daily.cvd      OSX.Trojan.KitM-1                            
    daily.cvd      Osx.Trojan.Janicab-2                         
    daily.cvd      Osx.Trojan.Janicab.Gen-1                     
    daily.cvd      Osx.Trojan.Janicab.Gen-2                     
    main.cvd       OSX.RSPlug                                   
    main.cvd       Trojan.OSX.iservices.A                       
    main.cvd       Trojan.OSX.iservices.B                       
    main.cvd       OSX.DNSChanger.dmg                           
    main.cvd       OSX.DNSChanger.dmg-1                         
    main.cvd       Trojan.OSX.RSPlug.F.dmg                      
    main.cvd       Trojan.OSX.RSPlug.F.dmg-1                    
    main.cvd       Trojan.OSX.RSPlug.F.dmg-2                    
    main.cvd       Trojan.OSX.RSPlug.F.dmg-3                    
    main.cvd       Trojan.OSX.RSPlug.F.dmg-4                    
    main.cvd       Trojan.OSX.RSPlug.F.dmg-5                    
    main.cvd       Trojan.OSX.RSPlug.G.dmg                      
    main.cvd       Trojan.OSX.RSPlug.G                          
    main.cvd       Exploit.OSX.Safari                           
    main.cvd       Trojan.OSX.Cowhand                           
    main.cvd       Backdoor.OSX.BlackHole                       
    main.cvd       Trojan.Downloader.OSX                        
    main.cvd       OSX.Flashback                                
    main.cvd       Trojan.Downloader.OSX-1                      
    main.cvd       OSX.Flashback-1                              
    main.cvd       OSX.Flashback-3                              
    main.cvd       OSX.Flashback-2                              
    main.cvd       OSX.Flashback-4                              
    main.cvd       Trojan.OSX.Miner                             
    main.cvd       OSX.Flashback-6                              
    main.cvd       OSX.Flashback-7                              
    main.cvd       OSX.Flashback-17                             
    main.cvd       OSX.Flashback-18                             
    main.cvd       OSX.Flashback-15                             
    main.cvd       OSX.Flashback-16                             
    main.cvd       Adware.OSX                                   
    main.cvd       OSX.Flashfake.Java                           
    main.cvd       Trojan.OSX.FlashBack-2                       
    main.cvd       OSX.Trojan.Yontoo                            
    main.cvd       Osx.Exploit.CVE_2009_0563                    
    main.cvd       OSX.Trojan.FkCodec.A                         
    main.cvd       OSX.DNSChanger                               
    main.cvd       OSX.Trojan-2                                 
    main.cvd       Trojan.OSX.Opener                            
    main.cvd       Trojan.OSX.RSPlug.C                          
    main.cvd       Trojan.OSX.RSPlug.D                          
    main.cvd       OSX.Tored                                    
    main.cvd       OSX.RSPlug-2                                 
    main.cvd       Trojan.OSX.OpinionSpy.B                      
    main.cvd       Trojan.OSX.OpinionSpy.A                      
    main.cvd       Trojan.OSX.MacDefender                       
    main.cvd       Trojan.OSX.MacDefender.B                     
    main.cvd       Trojan.OSX.MacDefender.C                     
    main.cvd       OSX.Defma-1                                  
    main.cvd       OSX.Defma-2                                  
    main.cvd       Trojan.OSX.MacBack                           
    main.cvd       Trojan-Downloader.OSX.Fav.A                  
    main.cvd       Trojan-Downloader.OSX.Fav.B                  
    main.cvd       MacOSX.iMuler-1                              
    main.cvd       Trojan.OSX.FlashBack.A                       
    main.cvd       OSX.DevilRobber                              
    main.cvd       OSX.Flashback-5                              
    main.cvd       Trojan.OSX.Imuler                            
    main.cvd       OSX.Word.Malware                             
    main.cvd       OSX.Word.Malware-1                           
    main.cvd       OSX.Flashback-8                              
    main.cvd       OSX.Flashback-10                             
    main.cvd       OSX.Flashback-12                             
    main.cvd       OSX.Flashback-9                              
    main.cvd       OSX.Flashback-13                             
    main.cvd       OSX.Flashback-14                             
    main.cvd       OSX.Flashfake                                
    main.cvd       OSX.SubPub                                   
    main.cvd       OSX.Flashback-19                             
    main.cvd       OSX.Flashback-20                             
    main.cvd       OSX.Maljava                                  
    main.cvd       OSX.Flashback-21                             
    main.cvd       OSX.Flashfake-1                              
    main.cvd       OSX.Flashfake-2                              
    main.cvd       OSX.Flashback-22                             
    main.cvd       Trojan.OSX.Crisis.A                          
    main.cvd       Trojan.OSX.Crisis.B                          
    main.cvd       OSX.Trojan.Crisis                            
    main.cvd       OSX.Trojan.Crisis-1                          
    main.cvd       OSX.Trojan.Crisis-2                          
    main.cvd       OSX.Trojan.HellRTS                           
    main.cvd       OSX.Trojan.Musminim                          
    main.cvd       Trojan.OSX.AppleScriptTHT.A                  
    main.cvd       Trojan.OSX.Morcut.A                          
    main.cvd       Trojan.OSX.DevilRobber.A                     
    main.cvd       Trojan.OSX.Miner.A                           
    main.cvd       Trojan.OSX.Dockster.A                        
    main.cvd       Trojan.OSX.Dockster.B                        
    main.cvd       Trojan.OSX.Darkoperator.A                    
    main.cvd       Trojan.OSX.Hellraiser.A                      
    main.cvd       Trojan.OSX.Inqtana.A                         
    main.cvd       Trojan.OSX.iServices.C                       
    main.cvd       Trojan.OSX.iServices.D                       
    main.cvd       Trojan.OSX.iMunizator.A                      
    main.cvd       Trojan.OSX.FkCodec.A                         
    main.cvd       Trojan.OSX.FkCodec.B                         
    main.cvd       Trojan.OSX.FkCodec.C                         
    main.cvd       Trojan.OSX.Renepo.H                          
    main.cvd       Trojan.OSX.RSPlug.I                          
    main.cvd       Trojan.OSX.RSPlug.J                          
    main.cvd       Trojan.OSX.RSPlug.K                          
    main.cvd       Trojan.OSX.RSPlug.L                          
    main.cvd       Trojan.OSX.Netweird.A                        
    main.cvd       VirTool.OSX.Rubilyn.A                        
    main.cvd       VirTool.OSX.Rubilyn.B                        
    main.cvd       Trojan.OSX.SMSsend.A                         
    main.cvd       OSX.Trojan.Pintsized                         
    main.cvd       OSX.Trojan.Pintsized-1                       

    122 hits for 'osx'

  • Sophos doesn't find this when I know it's on my MBP.

     

    When searching for 'osx.Trojan.CVE_2009_0563' on their site there are no search results.

This discussion has been closed.