Researchers are analysing a new code from a five-year-old backdoor program used on Windows which they found has been integrated in spyware program designed to compromise Mac OS X systems. Dubbed as XSLCmd by the researchers, this OS X malware was verified on August 10 by VirusTotal. Other antivirus have not yet been successful in detecting it confirming that the authors are using a much more complex coding for it.
Leading Security research firm, FireEye said in its blogpost on this malware, that the malware code is compatible with PowerPC and 64/86-bit CPU architectures; apart from the installation routine, a backdoor is also present and it executes as soon as the parent process is running.
“The backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past several years, having been updated many times in the process”
The capabilities present in the backdoor include opening a reverse shell along with actions for viewing files and transferring them to a remote location, or running self-update routines and installing other executable files. FireEye says that compared to the Windows version, the OS X one features increased functionality that allows monitoring of the victim through logging key strokes and the computer screen. This coupled with the fact that it has been undetected so far point out towards a very experienced malware author.
The researchers believe that XSLCmd backdoor is employed in cyber-espionage activities. The researchers have identified the cyber criminals as GREF. This team specialises in cyber espionage and has been active since 2009. It was one of the group which hacked the US Defense Industrial Base, as well as electronics and engineering companies all over the world between the period 2011 to date. Though it is not known whether this group is comprised of any state actors from any country.
With the rising popularity of Apple computers and laptops this becomes a new headache for the parent company. As of yet malwares for Mac machines were a few and far between. The porting Windows malware to other operating systems neither a complex nor a new practice. Taking the form of a Mach-O executable file, the backdoor copies to “$HOME/Library/LaunchAgents/clipboardd” and creates a file in the folder that ensures the threat is launched at computer reboot, as soon as the victim logs in.
During the installation process, the malware checks for the operating system version and it appears that versions above 10.8 (Mountain Lion) are not taken into consideration. This could indicate that the authors either targeted victims running this edition of OS X or the piece was created specifically for Mountain Lion.
FireEye believes that the cyber criminals /cyber gang, behind this threat are not only “advanced” but “adaptive” too considering the fact that they have they managed to achieve compatibility of their toolkit with the new operating systems adopted by their victims, and to obtain persistency on the infected machines.
You can read the full article about XSLCMD here