Ventir the new keylogger and spying malware for OS X
Researchers at Kaspersky security have detected a new type of modular malware for OS X. They have named the sample found in the wild as Ventir. The main feature of Ventir is that it integrates a legitimate component for intercepting keystrokes that is freely available on code sharing websites.
As per Kaspersky, Ventir OS X malware is a keylogger and also contains a backdoor. It can also be used for spying and stealing information from the victims Mac.
Using open sourced tools to write a malware is nothing new, Kaspersky researchers said that Ventir used LogKext, an open-source software package for capturing user keyboard input. LogKext is a legitimate file that was abandoned by its original developer but is being maintained by open source community to work on OS X Mavericks (10.9) and is freely available for download from GitHub
Detected by the company’s products as “not-a-virus:Monitor.OSX.LogKext.c,” LogKext hooks into the kernel of the operating system to achieve its purpose.
Mikhail Kuzin of Kaspersky says that LogKext hooks on to the OS X kernel only if the dropper is successful in obtaining elevated privileges to the victims system.
LogKext has three files whose functionality is to intercept the keystrokes (updated.kext), match the key codes to the characters associated with these codes (Keymap.plist), and log the keystrokes along with some system events (EventMonitor agent).
Table Of Contents
The first thing the dropper malware payload does after being executed is to check if it has root access. If it has root access, it proceeds to install all the files of the keylogging component. The root access/access privileges determine how much Ventir can run and the path for installation of Ventir files. If it has full privileges to the victims computer it downloads additional backdoor components.
The backdoor is used to communicate with the command and control (C&C) server and receive commands. Once the computer is hooked up to the C & C server it can do pretty much anything the hacker wants.
Kaspersky lists the following features of Ventir
As soon as it is launched, the dropper checks whether it has root access by calling the geteuid () function. The result of the check determines where the Trojan’s files will be installed:
- If it has root access, the files will be installed in /Library/.local and /Library/LaunchDaemons;
- If it does not have root access, the files will be installed in ~/Library/.local and ~/Library/LaunchAgents (“~” stands for the path to the current user’s home directory).
- All files of the Trojan to be downloaded to the victim machine are initially located in the “__data” section of the dropper file.
EventMonitor spying component is used only if elevated privileges are not obtained. “Immediately before processing a keystroke, the malware determines the name of the process whose window is currently active,” says Kuzin in a blog post.
As a result, the following files will be installed on the infected system:
- Library/.local/updated – re-launches files update and EventMonitor in the event of unexpected termination.
- Library/.local/reweb – used to re-launch the file updated.
- Library/.local/update – the backdoor module.
- Library/.local/libweb.db – the malicious program’s database file. Initially contains the Trojan’s global settings, such as the C&C address.
- Library/LaunchAgents (or LaunchDaemons)/com.updated.launchagent.plist – the properties file used to set the file Library/.local/updated to autorun using the launchd daemon.
- Depending on whether root access is available:
?) if it is – /Library/.local/kext.tar. The following files are extracted from the archive:
- updated.kext – the driver that intercepts user keystrokes
- Keymap.plist – the map which matches the codes of the keys pressed by the user to the characters associated with these codes;
- EventMonitor – the agent which logs keystrokes as well as certain system events to the following file: Library/.local/.logfile.
B) if it isn’t – ~/Library/.local/EventMonitor. This is the agent that logs the current active window name and the keystrokes to the following file: Library/.local/.logfile
The researcher says that Ventir has a similar structure with another malware piece, Morcut, which is also known as Crisis. They share similar functionality and have the same number of modules and maybe the work of the same cyber criminal group.