Malware descriptions

“Leap” of Faith

Although we’ve seen malware compiled for MacOSX in the past, there hasn’t been any major outbreak of Mac malware, yet.

Earlier today there have been a couple of reports about a MacOSX trojan on the MacRumors forum. We’ve been able to obtain a sample and take a look.

OSX/Leap.A is a native PowerPC malware which is distributed in the form of a TAR-Gzipped archive called “latestpics.tgz”. Once the archive has been expanded (by a simple double-click in MacOSX) the user is presented with an application called “latestpics”, 39596 bytes in size. It looks like this:

Executing it activates the worm code, which attempts to infect other applications on disk and replicate to other computers using iChat.

Infection of local applications is performed in a classic way – by saving the original binary in its resource fork, then by overwriting the application code with the 39596-bytes long “latestpics” executable. In our tests, this didn’t quite work well and infected applications no longer seem to work. The worm uses a special method to gain control whenever a new application is executed – it drops an InputManager extension in the ~Library/InputManagers directory of MacOSX, in the form of a 18884 bytes long “apphook”. Whenever a new application is started, the “apphook” extension will also get executed, initiating the infection procedure.

The author seems to have been working on e-mail replication as well, but this part of the worm doesn’t seem to be complete yet. This might arrive in a future version though.

With Apple’s transition to Intel hardware and aggresive price policy, it was just a matter of time until Macs become popular not only between users, but also as a target for malware authors. Based on our previous experiences, there is no doubt that what we are seeing today is only the beginning.

“Leap” of Faith

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox