Kaspersky Lab’s experts say they’ve intercepted a new wave of Mac OS X attacks targeting Uyghur activists that were part of an Advanced Persistent Threat (APT) campaign.
The APT attackers were sending customized emails to a select number of Uyghur activists who were presumed Mac users. The targeted emails included ZIP attachments inside them, which contained a malicious Mac OS X backdoor. To disguise the malware, the ZIP file showed a JPEG photo together with the malicious application.
Kaspersky Lab’s researchers analyzed the Mac OS X backdoor and concluded that the malicious application is a new, and primarily undetected, variant of the MaControl backdoor, which supports both i386 and PowerPC Macs. However, Kaspersky Lab’s system detects the malicious variant as “Backdoor.OSX.MaControl.b.”
When executed, the MaControl backdoor installs itself inside the victim’s Mac and connects to its Command and Control (C&C) server to get instructions. The backdoor allows its operator to list files, transfer files and generally run commands on the infected Mac computer at will. During the analysis of the malware, Kaspersky Lab identified its C&C server, which is located in China.
This is not the first time Kaspersky Lab has identified APT-driven attacks targeting Mac OS X users. In April 2012, Kaspersky Lab’s researchers published information about an active APT campaign, SabPub, which was attacking the Mac OS X platform by exploiting an MS Office vulnerability. Once the custom backdoor Trojan infected a victim’s machine, it was able to take screenshots of the user’s current session and execute commands on the infected computer.
For more information about the APT attack and the new Mac OS X MaControl Backdoor variant, go to Securelist.com .