New Malware Targeting OS X

Tuesday, March 1, 2016 @ 06:03 PM gHale


There is new malware targeting Mac OS X, which could be the work of the HackingTeam.

The HackingTeam is a company that sells surveillance software (legal term for malware) to governments around the world.

RELATED STORIES
Mars Rover: Code Used for Espionage
Multi-APT’s Linked to One Attack Group
ICS-CERT BlackEnergy Report
BlackEnergy in other Ukraine Systems

A few weeks ago, Claud Xiao, security researcher from Palo Alto Networks discovered a series of malicious Mac binaries, which he thought were suspicious.

After sharing these binaries with the infosec community, they ended up in the hands of some OS X security specialists, like SentinelOne’s Pedro Vilaca and Synack’s director of R&D Patrick Wardle, who took a closer look.

They both reached the same conclusion: The malicious binaries contain new (or modified) malware that seems to be using the same techniques and mode of operation as previous malware uncovered via the HackingTeam data breach from last summer.

The two security researchers are not 100 percent sure the HackingTeam is behind this new malware.

As for the malware itself, the both researchers said this new variant is only a dropper, and not anything complex.

Droppers are a class of computer viruses that have two functions. They must be able to infect computers and maintain a foothold, and then they must be able to talk to a C&C server and download a specific piece of malware variant, based on the details of an infected system.

The researchers both noted that, at the time of their analysis, antivirus engines in Google’s VirusTotal service weren’t flagging it as malicious.

They also noted that, compared to other HackingTeam Mac malware, these new binaries used Apple’s built-in OS X encryption scheme and a custom binary packing system.