Mac Trojan Updated and Active

Friday, January 24, 2014 @ 01:01 PM gHale

There is a new variant of OSX/Crisis, the Mac Trojan developed by Hacking Team and utilized by governments in targeted cyber attacks.

OSX/Crisis.C is similar to previous variants and ends up distributed with the aid of a dropper that installs silently on targeted machines, said researchers at security provider Intego.

RELATED STORIES
Trojan Slowed, but not Gone
Trojan Remains a Danger After Deleted
Fake Ads on the Attack
Europe Hit by Yahoo Hack

It runs on Mac OS X 10.5, 10.6, and 10.7, and it enables attackers to capture audio and video, take screenshots, harvest user locations, and connect to Wi-Fi.

In order to hide itself, Crisis patches the Activity Monitor. It drops its rootkit by tricking users into giving it system admin privileges.

This third version comes with a different backdoor configuration file format. Some of the dropper code, like any evolving product, has also undergone an update.

Intego researchers spotted the Mac malware after it ended up uploaded by someone to VirusTotal as a file called “Frantisek,” which experts believe could be a reference to Pope Francis.

On Wednesday, only 6 of the 49 engines on VirusTotal detected the threat.



Leave a Reply

You must be logged in to post a comment.