Mac Malware - New OSX/Crisis or Business Cards Gone Wild

Senior Advisor

Mac Malware - New OSX/Crisis or Business Cards Gone Wild  New OSX/Crisis or Business Cards Gone Wild

Posted on November 13th, 2013 by Peter James

In these days of computer conspiracies, the Mac is not left out. A new variant of Remote Control System, Hacking Team’s spyware, landed on VirusTotal with a detection rate of 0 out of 47 scanners.

RCS, also known as OSX/Crisis, is an expensive rootkit used by governments during targeted attacks. It collects audio, pictures, screenshots, keystrokes and report everything to a remote server. It’s known to be delivered through grey market exploits.

The dropper filename, Biglietto Visita, is Italian for business card. Like OSX/Crisis.A, the code is in a dedicated section and uses low-level system calls to deploy the spyware: a backdoor and its encrypted configuration, an image, a scripting addition and the kernel extensions.

To avoid antivirus detection, the backdoor is now obfuscated using MPress packer. We can use gdb or Volatility to dump the unpacked binary. Complete analysis is in progress, as it is another story to put the symbols in place, but here you have an excerpt of the decrypted configuration file:

OSX/Crisis.B decrypted configuration excerpt

As you can see, our infected machines have good reasons to communicate with (we also have packet captures to decrypt). At the time of this writing, this Linode UK host is online and moderates unwanted targets quickly (remote uninstall).

As is, the backdoor do not trigger the social-engineering privilege escalation, or load the kernel extensions.

Should you feel concerned by government targeted attacks, or recently received a 200k€ business card, then look for those files in your Home folder and your Startup Disk:

  • Library/LaunchAgents/
  • Library/Preferences/2Md1ctl2/0T4Nn2U0.tze
  • Library/Preferences/2Md1ctl2/5KusPre5.vAl
  • Library/Preferences/2Md1ctl2/Contents/Info.plist
  • Library/Preferences/2Md1ctl2/Contents/Resources/9uW_anE9.cIL.kext/Contents/Info.plist
  • Library/Preferences/2Md1ctl2/Contents/Resources/9uW_anE9.cIL.kext/Contents/MacOS/9uW_anE9.cIL
  • Library/Preferences/2Md1ctl2/hFSGY5ih.rfU
  • Library/Preferences/2Md1ctl2/q45tyh
  • Library/Preferences/2Md1ctl2/WaAvsmZW.EMb
  • Library/Scripting Additions/UIServerEvents/Contents/Info.plist
  • Library/Scripting Additions/UIServerEvents/Contents/MacOS/0T4Nn2U0.tze
  • Library/Scripting Additions/UIServerEvents/Contents/Resources/UIServerEvents.r

Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.B.

Senior Advisor

Re: Mac Malware - New OSX/Crisis or Business Cards Gone Wild

Senior Advisor

Re: Mac Malware - New OSX/Crisis or Business Cards Gone Wild

Clamav Mac Malware


ClamAV Virus Database Search Search for: begins withcontainsexactregex
Case-sensitive search: YesNo
Search database(s): DailyMain
Display results: DatabaseFileVirus NameSignature

Search results:

daily.cvd      not-OSX.Tored                                
daily.cvd      Osx.Exploit.Iosjailbreak-1                   
daily.cvd      OSX.Defma                                    
daily.cvd      MacOSX.Revir-1                               
daily.cvd      OSX.BlackHol                                 
daily.cvd      OSX.BlackHol-1                               
daily.cvd      OSX.Trojan.Iumler-1                          
daily.cvd      OSX.Trojan.Imuler-1                          
daily.cvd      Osx.Exploit.CVE_2009_0563.Gen                
daily.cvd      Osx.Trojan.CVE_2009_0563.Gen                 
daily.cvd      OSX.Trojan.KitM-1                            
daily.cvd      Osx.Trojan.Janicab-2                         
daily.cvd      Osx.Trojan.Janicab.Gen-1                     
daily.cvd      Osx.Trojan.Janicab.Gen-2                     
main.cvd       OSX.RSPlug                                   
main.cvd       Trojan.OSX.iservices.A                       
main.cvd       Trojan.OSX.iservices.B                       
main.cvd       OSX.DNSChanger.dmg                           
main.cvd       OSX.DNSChanger.dmg-1                         
main.cvd       Trojan.OSX.RSPlug.F.dmg                      
main.cvd       Trojan.OSX.RSPlug.F.dmg-1                    
main.cvd       Trojan.OSX.RSPlug.F.dmg-2                    
main.cvd       Trojan.OSX.RSPlug.F.dmg-3                    
main.cvd       Trojan.OSX.RSPlug.F.dmg-4                    
main.cvd       Trojan.OSX.RSPlug.F.dmg-5                    
main.cvd       Trojan.OSX.RSPlug.G.dmg                      
main.cvd       Trojan.OSX.RSPlug.G                          
main.cvd       Exploit.OSX.Safari                           
main.cvd       Trojan.OSX.Cowhand                           
main.cvd       Backdoor.OSX.BlackHole                       
main.cvd       Trojan.Downloader.OSX                        
main.cvd       OSX.Flashback                                
main.cvd       Trojan.Downloader.OSX-1                      
main.cvd       OSX.Flashback-1                              
main.cvd       OSX.Flashback-3                              
main.cvd       OSX.Flashback-2                              
main.cvd       OSX.Flashback-4                              
main.cvd       Trojan.OSX.Miner                             
main.cvd       OSX.Flashback-6                              
main.cvd       OSX.Flashback-7                              
main.cvd       OSX.Flashback-17                             
main.cvd       OSX.Flashback-18                             
main.cvd       OSX.Flashback-15                             
main.cvd       OSX.Flashback-16                             
main.cvd       Adware.OSX                                   
main.cvd       OSX.Flashfake.Java                           
main.cvd       Trojan.OSX.FlashBack-2                       
main.cvd       OSX.Trojan.Yontoo                            
main.cvd       Osx.Exploit.CVE_2009_0563                    
main.cvd       OSX.Trojan.FkCodec.A                         
main.cvd       OSX.DNSChanger                               
main.cvd       OSX.Trojan-2                                 
main.cvd       Trojan.OSX.Opener                            
main.cvd       Trojan.OSX.RSPlug.C                          
main.cvd       Trojan.OSX.RSPlug.D                          
main.cvd       OSX.Tored                                    
main.cvd       OSX.RSPlug-2                                 
main.cvd       Trojan.OSX.OpinionSpy.B                      
main.cvd       Trojan.OSX.OpinionSpy.A                      
main.cvd       Trojan.OSX.MacDefender                       
main.cvd       Trojan.OSX.MacDefender.B                     
main.cvd       Trojan.OSX.MacDefender.C                     
main.cvd       OSX.Defma-1                                  
main.cvd       OSX.Defma-2                                  
main.cvd       Trojan.OSX.MacBack                           
main.cvd       Trojan-Downloader.OSX.Fav.A                  
main.cvd       Trojan-Downloader.OSX.Fav.B                  
main.cvd       MacOSX.iMuler-1                              
main.cvd       Trojan.OSX.FlashBack.A                       
main.cvd       OSX.DevilRobber                              
main.cvd       OSX.Flashback-5                              
main.cvd       Trojan.OSX.Imuler                            
main.cvd       OSX.Word.Malware                             
main.cvd       OSX.Word.Malware-1                           
main.cvd       OSX.Flashback-8                              
main.cvd       OSX.Flashback-10                             
main.cvd       OSX.Flashback-12                             
main.cvd       OSX.Flashback-9                              
main.cvd       OSX.Flashback-13                             
main.cvd       OSX.Flashback-14                             
main.cvd       OSX.Flashfake                                
main.cvd       OSX.SubPub                                   
main.cvd       OSX.Flashback-19                             
main.cvd       OSX.Flashback-20                             
main.cvd       OSX.Maljava                                  
main.cvd       OSX.Flashback-21                             
main.cvd       OSX.Flashfake-1                              
main.cvd       OSX.Flashfake-2                              
main.cvd       OSX.Flashback-22                             
main.cvd       Trojan.OSX.Crisis.A                          
main.cvd       Trojan.OSX.Crisis.B                          
main.cvd       OSX.Trojan.Crisis                            
main.cvd       OSX.Trojan.Crisis-1                          
main.cvd       OSX.Trojan.Crisis-2                          
main.cvd       OSX.Trojan.HellRTS                           
main.cvd       OSX.Trojan.Musminim                          
main.cvd       Trojan.OSX.AppleScriptTHT.A                  
main.cvd       Trojan.OSX.Morcut.A                          
main.cvd       Trojan.OSX.DevilRobber.A                     
main.cvd       Trojan.OSX.Miner.A                           
main.cvd       Trojan.OSX.Dockster.A                        
main.cvd       Trojan.OSX.Dockster.B                        
main.cvd       Trojan.OSX.Darkoperator.A                    
main.cvd       Trojan.OSX.Hellraiser.A                      
main.cvd       Trojan.OSX.Inqtana.A                         
main.cvd       Trojan.OSX.iServices.C                       
main.cvd       Trojan.OSX.iServices.D                       
main.cvd       Trojan.OSX.iMunizator.A                      
main.cvd       Trojan.OSX.FkCodec.A                         
main.cvd       Trojan.OSX.FkCodec.B                         
main.cvd       Trojan.OSX.FkCodec.C                         
main.cvd       Trojan.OSX.Renepo.H                          
main.cvd       Trojan.OSX.RSPlug.I                          
main.cvd       Trojan.OSX.RSPlug.J                          
main.cvd       Trojan.OSX.RSPlug.K                          
main.cvd       Trojan.OSX.RSPlug.L                          
main.cvd       Trojan.OSX.Netweird.A                        
main.cvd       VirTool.OSX.Rubilyn.A                        
main.cvd       VirTool.OSX.Rubilyn.B                        
main.cvd       Trojan.OSX.SMSsend.A                         
main.cvd       OSX.Trojan.Pintsized                         
main.cvd       OSX.Trojan.Pintsized-1                       

122 hits for 'osx'


Re: Mac Malware - New OSX/Crisis or Business Cards Gone Wild

Sophos doesn't find this when I know it's on my MBP.


When searching for 'osx.Trojan.CVE_2009_0563' on their site there are no search results.