APT reports

New MacOS X backdoor variant used in APT attacks

Two days ago we intercepted a new APT campaign using a new MacOS X backdoor variant targeted at Uyghur activists.

But before we go into details, let’s start with a quiz:

– The Dalai Lama walks into an Apple Store. Why?

A possible answer is, “to buy one of the new MacBook Pro’s with the Retina display!” (speaking of which, I would very much like to buy one of those as well, but it’s kind of difficult to justify the hit to the family budget)

Joke aside, actually Dalai Lama is a well known Mac user. Here’s a photo of him using a Mac during a conf call:

And a better one of him using a 17” MacBook Pro:

Perhaps it is no surprise that we are seeing an increase in the number of APT attacks against such high profile users using Mac’s.

On June 27th, we’ve intercepted a new wave of APT attacks targeting certain Uyghur Mac users.

The e-mails have a ZIP file attached. Inside the ZIP file, there’s a JPG photo and a MacOS X app:

The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as “Backdoor.OSX.MaControl.b”.

MD5 ( “matiriyal.app/Contents/MacOS/iCnat” ): e88027e4bfc69b9d29caef6bae0238e8

When executed, it installs itself in the system and connects to its Command and Control server to get instructions. The backdoor allows its operator to list files, transfer files and generally, run commands on the infected machine.

As usual, although some of the comments and debug info are in English, they contain common mistakes:

– “Recieve” instead of “Receive”

– “os verison” instead of “os version”

– “memery” instead of “memory”

– Etc…

The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size. The configuration block is obfuscated with a simple “substract 8” operation.

Once decrypted, the command and control server address can be read: 61.178.77.*, located in China:

With Macs growing in popularity and their increased adoption by high profile targets, we expect the number of MacOS X APT attacks will also grow. Previous attacks used MS Office exploits (Exploit.MSWord.CVE-2009-0563.a.); the one described here relies on social engineering to get the user to run the backdoor. Just like with PC malware, a combination of exploits and social engineering tricks are generally the most effective; it won’t be surprising to see a spike in such attacks soon.

Update: AlienVault posted a description of the Windows counterpart of the backdoor used in this attack. You can read their analysis here.

New MacOS X backdoor variant used in APT attacks

Your email address will not be published. Required fields are marked *



Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox