New Mac OS X Backdoor Being Used for an Advanced Persistent Threat Campaign, Kaspersky Researchers Say

Malicious application is a new, and primarily undetected, variant of the MaControl backdoor

July 4, 2012

3 Min Read


Abingdon, UK, 3 July 2012 - On 27 June 2012, Kaspersky Lab’s experts intercepted a new wave of Mac OS X attacks targeting Uyghur activists that were part of an Advanced Persistent Threat (APT) campaign.

The APT attackers were sending customised emails to a select number of Uyghur activists who were presumed Mac users. The targeted emails included ZIP attachments inside them, which contained a malicious Mac OS X backdoor. To disguise the malware, the ZIP file showed a JPEG photo together with the malicious application.

Kaspersky Lab’s researchers analysed the Mac OS X backdoor and concluded that the malicious application is a new, and primarily undetected, variant of the MaControl backdoor, which supports both i386 and PowerPC Macs. However, Kaspersky Lab’s system* detects the malicious variant as “Backdoor.OSX.MaControl.b.”

When executed, the MaControl backdoor installs itself inside the victim’s Mac and connects to its Command and Control (C&C) server to get instructions. The backdoor allows its operator to list files, transfer files and generally run commands on the infected Mac computer at will. During the analysis of the malware, Kaspersky Lab identified its C&C server, which is located in China.

“Macs are growing in global popularity, even amongst high-profile people. Many choose to use Mac OS X computers because they believe it’s safer,” said Costin Raiu, Director of Global Research & Analysis at Kaspersky Lab. “However, we believe that as the adoption increases for Mac OS X, so will both mass-infection attacks and targeted campaigns. Attackers will continue to refine and enhance their methods to mix exploits and social engineering techniques to try and infect victims. Just like PC malware, this combination is commonly the most effective and cybercriminals will continue to challenge Mac OS X users’ security, both technically and psychologically.”

This is not the first time Kaspersky Lab has identified APT-driven attacks targeting Mac OS X users. In April 2012, Kaspersky Lab’s researchers published information about an active APT campaign, SabPub, which was attacking the Mac OS X platform by exploiting an MS Office vulnerability. Once the custom backdoor Trojan infected a victim’s machine, it was able to take screenshots of the user’s current session and execute commands on the infected computer.

Even though the notorious Flashfake Trojan, which helped to create a botnet of 700k+ Mac computers, was the most prominent example of Mac OS X infections, cybercriminals have continued to attack the platform, most notably in targeted campaigns. Several days ago, Apple pulled a claim from their website which said that “a Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers.”

The Mac OS X security landscape continues to change in 2012 as cybercriminals target the platform with various types of techniques and methods.

For more information about the APT attack and the new Mac OS X MaControl Backdoor variant, please visit

*The Backdoor.OSX.MaControl.b malware is detected and remediated by Kaspersky Anti-Virus 2011 for Mac.


Kaspersky Lab Newsroom

Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (, for journalists throughout Europe. The newsroom is specifically designed to serve many of the media’s most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and Enterprises. The company currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights