Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Mac Malware Spies On Email, Survives Reboots

Crisis malware lets attackers install without an administrator password and intercept email, IM, and other communications.

Mac users, beware new malware targeting Apple OS X systems that's disguised as an Adobe Flash Player installer.

That warning comes via antivirus software vendor Kaspersky Lab, which said it first spotted the Crisis malware--also known as Morcut--last week. While not widespread, the malware's ability to intercept email and IM, among other features, demonstrates that malicious applications written to target Macs can be just as powerful as malware that comes gunning for PCs.

Concerns over Mac malware have been growing since the Flashback malware infected an estimated 600,000 Apple OS X systems earlier this year. Apple ultimately patched multiple versions of its operating system against the malware, and also took the unusual step of altering OS X to disable outdated versions of Java and the Adobe Flash Player, to help prevent malware from exploiting known vulnerabilities in the software.

[ Is Apple upping the ante on security? Read more at Apple's Authentec Buy Hints At Secure iPad. ]

Such steps should pay off in the case of Crisis, since the malware arrives in the form of a Java archive (a.k.a. JAR) file that's allegedly been signed by VeriSign. The malware includes an installer for various modules, including one that communicates with the botnet's command-and-control servers. The installer first checks to see if it's already been installed--via the presence of a file the malware creates to hide its stolen data--and then activates a rootkit, which hides its malicious files and processes in the OS X system library, enabling the malware to survive reboots. The rootkit also ensures that the malware can run automatically, without requiring administrator-level authentication.

Based on the malware's capabilities, "these modules were written professionally, obviously with the intention of being used widely in the future," said Sergey Golovanov, a security researcher at Kaspersky Lab, in a blog post. "From the code, we can see that the cybercriminals developed this Trojan in order to sell it on hacker forums."

But it's unclear if the malware, which offers functionality similar to the Zeus financial malware, has been designed solely with black-market distribution in mind, or whether it might also be marketed to law enforcement agencies, said Golovanov.

Regardless of the malware's origins, it offers attack capabilities on par with modern PC-targeting malware. "If this malware managed to infect your Mac computer, it could learn an awful lot about you and potentially steal information which could read your private messages and conversations, and open your email and other online accounts," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "Clearly, [Morcut] was created with spying in mind."

Notably, the code contains hooks into the Apple OS X operating system that allow it to either monitor or control any built-in Webcam, track mouse coordinates, record keystrokes, copy clipboard contents, and spy on instant messaging tools such as Adium, MSN Messenger, and Skype, as well as call data related to Skype. The malware can also activate the internal microphone, read calendar data and alerts, retrieve address book information, take screenshots, and recall visited URLs.

"Fortunately, we haven't seen Morcut in the wild," Cluley said, which means that either the malware may simply have not found many buyers, or that it's being used only in very targeted attacks.

"At the moment the threat is low," Cluley said. "However, the complexity of the malware is yet another indication that malware on the Mac is becoming more serious--and designed to make money at your expense."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26030
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
CVE-2021-26031
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
CVE-2021-27710
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...
CVE-2021-28484
PUBLISHED: 2021-04-14
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send i...
CVE-2021-29654
PUBLISHED: 2021-04-14
AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.