New Mac malware discovered: Icefog
Published September 26th, 2013 at 1:53 PM EDT , modified October 1st, 2013 at 9:11 AM EDT
Kaspersky Lab has released a 68-page report on cross-platform malware that has been active since 2011, and which they are calling Icefog. According to the report, this malware has been used in targeted espionage attacks in Asia, primarily in Japan and South Korea. It affects both Windows and Mac OS X, although the Mac version seems to be new, and installs a backdoor that communicates with a command & control server for instructions.
The Mac variant of this malware poses as a graphics program called “Img2icns.” This app is not signed by a registered developer, however, so it will immediately be brought to a screeching halt if Gatekeeper is set to prevent such apps from running.
Users who are not running Mac OS X 10.8.x (aka Mountain Lion) or who have disabled Gatekeeper, however, will be fully capable of opening it. (At the time of this writing, it is not detected as malware by XProtect. I have submitted it to Apple, so hopefully detection will be added soon.) When opened, the app does not ask for an admin password, and it looks surprisingly professional. It asks the user whether to move the app to the Applications folder, though if you tell it to do so, it won’t actually do anything, since it doesn’t have the appropriate permissions to modify the Applications folder. It will also ask the user whether to check for updates automatically. After dismissing these, you are greeted with an interface that is more polished than most malware bothers with.
The polish should not be surprising, though, since it appears that this malware is hijacking what appears to be a legit app. The malicious app functions as you would expect. Examining the application package carefully, it looks like the malicious app contains a full copy of the real Img2icns app, which is launched while the malware does its thing.
All this is subterfuge, of course, disguising the real purpose behind the app. While the user is busy interacting with what the Img2icns app, the malware is busy installing itself. It installs an app named “.launchd.app” in the user’s home folder, with the leading period in the file name making it invisible by default. It also installs a LaunchAgent named “apple.launchd.plist” in the user’s Library/LaunchAgents folder. This LaunchAgent keeps the “.launchd.app” process running.
At this time, this malware isn’t much of a threat to users of Mountain Lion. Users of Snow Leopard (Mac OS X 10.6) and later will be protected once Apple adds a definition for this malware to their XProtect system. Unfortunately, if you have a system older than Snow Leopard, you have no built-in protection against this malware.
September 27, 2013 @ 3:21 PM EST: Lysa Myers of Intego revealed that two other apps are being imitated by this malware: AppDelete and CleanMyMac. Obviously, the original apps are not malware, but be cautious where you download them from!
October 1, 2013 @ 9:04 AM EST: Still no updates to XProtect definitions, despite the fact that I submitted this malware to Apple right before publishing this article. Even after forcing my machine to check for an XProtect update, I still only have a version that was last updated almost a full week before the appearance of this malware. Hopefully, Apple will get on the ball soon, so that people who are using systems with XProtect, but without Gatekeeper, will be protected!