Unix and macOS malware

Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A.

We found a new wave of different campaigns spreading the initial “Banloader” components in Jar (Java archive). It’s able to run on Linux, OS X, Windows. It’s also able to run under certain circumstances even on mobile devices.

Recently Patrick Wardle published an analysis of a new Backdoor and Dropper used by HackingTeam. It looks like the samples mentioned in the blog were found in-the-wild, so we decided to see how this latest Backdoor works.

Yesterday a blog post on “The Linux Mint Blog” caught our attention. Apparently criminals managed to compromise a vulnerable instance of Wordpress which the project used to run their website. The attackers modified download links pointing to backdoored ISO files of Linux Mint 17.3 Cinnamon edition.

Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.

In December 2014 we discovered a very interesting vulnerability in the Darwin kernel. Using it attackers can send just one incorrect network packet to the victim and the victim’s system (OS X 10.10 or iOS 8) will crash.

In 2013 we registered a sudden surge in the number of attacks targeting users’ financial information and money. In 2014, the situation changed considerably: the number of attacks and attacked users significantly decreased, as did the amount of financial phishing.

In November 2014, an interesting malicious sample was uploaded to a multiscanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle.

This section of the report forms part of the Kaspersky Security Bulletin 2014 and is based on data obtained and processed using Kaspersky Security Network (KSN). Kaspersky Lab products detected and neutralized a total of 6,167,233,068 threats during the reported period.

Next year Kaspersky Lab experts anticipate high-stakes targeted cyber-attacks pinpointing the banks. We expect fraudsters will try to develop new malware that can take cash directly from ATMs. 2015 is also likely to bring even more privacy concerns, security worries about Apple devices and renewed fears about connected devices.

Recently, news appeared about an interesting attack where cybercriminals infect iPhones and Mac OSX users with a rather peculiar malware dubbed WireLurker. Yesterday, our friend Jaime Blasco from Alienvault discovered a Win32 malicious tool that appears to be related.

We got an interesting file for analysis a short while ago. It turned out to be a sample of modular malware for MacOS X.

A couple weeks ago, my colleague Mikhail K posted on the analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Let’s explore some additional offensive details of this crew’s activity, and details of the overall situation, in the past week.

It described a Trojan with sufficiently versatile DDoS functionality. The capability that we found the most interesting was the Trojan’s ability to conduct DNS Amplification-type attacks.

A Trojan encrypter for Mac OS X is something we haven’t yet seen, but is, it seems, totally realistic.