New OS X trojan backdoor MaControl variant reported

Published: 2012-07-05
Last Updated: 2012-07-05 01:55:42 UTC
by Adrien de Beaupre (Version: 1)
2 comment(s)

Kaspersky has reported that a new previously undetected variant of the MaControl backddor is being used in the wild. The malware arrived as an email attachment, and if installed connect to a C&C server. More information on the malware, its behaviour, and the attack campaign is available from Kaspersky, who discovered this variant. As more malware authors become motivated to attack OS X it is likely that we will continue to see targeted attacks such as this in the future.

http://www.kaspersky.com/about/news/virus/2012/New_Mac_OS_X_Backdoor_Being_Used_for_an_Advanced_Persistent_Threat_Campaign

http://www.securelist.com/en/blog/208193616/New_MacOS_X_backdoor_variant_used_in_APT_attacks

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

I will be teaching SANS Sec542 in Minneapolis July, Sec560 in Montreal September, and Sec542 in Vancouver December.

2 comment(s)

Comments

Tis the end of the Golden Era. We will now need to be as vigilant as Windows users. I enjoyed, even relished, the respite, reveled in the immunity that we enjoyed. But, sadly, even this must come to an end.

Life is a bitch, then you get POWNED!
I see that this is an application masquerading as a document, not exactly an uncommon trick (which is why I always have show extensions turned on no matter my platform). The articles say it installs itself into the system, but how does it get past the "enter admin account" security barrier? Or does it require the user to enter this information before installing?

That people will do social engineering against all platforms is an unfortunate reality for all of us. But have they found a way to bypass the security layer that is supposed to make you stop and think? Or are they just trying to trick you as always? Nothing in either link clarifies this detail.

Diary Archives