Researchers find more versions of digitally signed Mac OS X spyware
Security researchers have identified multiple samples of the recently discovered “KitM” spyware for Mac OS X, including one dating back to December 2012 and targeting German-speaking users.
KitM (Kumar in the Mac), also known as HackBack, is a backdoor-type program that takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server. It also opens a reverse shell that allows attackers to execute commands on the infected computers.
The malware was initially discovered last week on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, a human rights conference in Norway, by security researcher and privacy activist Jacob Appelbaum.
The most interesting aspect of KitM is that it was signed with a valid Apple Developer ID, a code-signing certificate, issued by Apple to someone named “Rajinder Kumar.” Applications signed with a valid Apple Developer ID bypass the Gatekeeper security feature in Mac OS X Mountain Lion, which verifies the origin of files to determine whether they pose any risks to the system.
The first two KitM samples found last week connected back to C&C servers hosted in the Netherlands and Romania. Researchers from security vendor Norman Shark linked the domain names of those servers to the attack infrastructure of a large cyberespionage campaign of Indian-origin dubbed “Operation Hangover.”
On Wednesday, F-Secure researchers obtained more KitM variants from a Germany-based investigator. These samples were used in targeted attacks between December and February and were distributed via spear-phishing emails carrying .zip archives, the F-Secure researchers said in a blog post.
Some of the malicious attachments were called Christmas_Card.app.zip, Content_for_Article.app.zip, Interview_Venue_and_Questions.zip, Content_of_article_for_[NAME REMOVED].app.zip and Lebenslauf_fur_Praktitkum.zip.
“Though the spear phishing payloads are not particularly ‘sophisticated,’ the campaign’s use of German localization and the target’s name (removed in the example above) does indicate the attackers have done some homework,” the F-Secure researchers said Thursday in a different blog post.
The KitM installers contained in the .zip archives are Mach-O executables, but have icons corresponding to image and video files, Adobe PDF documents and Microsoft Word documents. This is a trick frequently seen with Windows malware distributed via email.
The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won’t immediately help existing victims, according to Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender.
“Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed,” Botezatu said Thursday via email. “If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines.”
Apple could use another malware protection feature called XProtect to blacklist the known KitM binary files. However, other versions that haven’t been discovered yet might exist.
In order to prevent the execution of any digitally signed malware file on their computers, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, security researchers from F-Secure said.
However, this setting would be inconvenient for users in corporate environments, who need to run custom software developed in-house, Botezatu said. Such custom applications are intended for internal use only and are not published on the Mac App Store, so a more restrictive Gatekeeper setting would likely complicate their deployment process, he said.