We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Mac malware discovered: Icefog

Published September 26th, 2013 at 1:53 PM EDT , modified October 1st, 2013 at 9:11 AM EDT

Kaspersky Lab has released a 68-page report on cross-platform malware that has been active since 2011, and which they are calling Icefog. According to the report, this malware has been used in targeted espionage attacks in Asia, primarily in Japan and South Korea. It affects both Windows and Mac OS X, although the Mac version seems to be new, and installs a backdoor that communicates with a command & control server for instructions.

icefog1The Mac variant of this malware poses as a graphics program called “Img2icns.” This app is not signed by a registered developer, however, so it will immediately be brought to a screeching halt if Gatekeeper is set to prevent such apps from running.

Users who are not running Mac OS X 10.8.x (aka Mountain Lion) or who have disabled Gatekeeper, however, will be fully capable of opening it. (At the time of this writing, it is not detected as malware by XProtect. I have submitted it to Apple, so hopefully detection will be added soon.) When opened, the app does not ask for an admin password, and it looks surprisingly professional. It asks the user whether to move the app to the Applications folder, though if you tell it to do so, it won’t actually do anything, since it doesn’t have the appropriate permissions to modify the Applications folder. It will also ask the user whether to check for updates automatically. After dismissing these, you are greeted with an  interface that is more polished than most malware bothers with.



The polish should not be surprising, though, since it appears that this malware is hijacking what appears to be a legit app. The malicious app functions as you would expect. Examining the application package carefully, it looks like the malicious app contains a full copy of the real Img2icns app, which is launched while the malware does its thing.

All this is subterfuge, of course, disguising the real purpose behind the app. While the user is busy interacting with what the Img2icns app, the malware is busy installing itself. It installs an app named “” in the user’s home folder, with the leading period in the file name making it invisible by default. It also installs a LaunchAgent named “apple.launchd.plist” in the user’s Library/LaunchAgents folder. This LaunchAgent keeps the “” process running.

At this time, this malware isn’t much of a threat to users of Mountain Lion. Users of Snow Leopard (Mac OS X 10.6) and later will be protected once Apple adds a definition for this malware to their XProtect system. Unfortunately, if you have a system older than Snow Leopard, you have no built-in protection against this malware.


September 27, 2013 @ 3:21 PM EST: Lysa Myers of Intego revealed that two other apps are being imitated by this malware: AppDelete and CleanMyMac. Obviously, the original apps are not malware, but be cautious where you download them from!

October 1, 2013 @ 9:04 AM EST: Still no updates to XProtect definitions, despite the fact that I submitted this malware to Apple right before publishing this article. Even after forcing my machine to check for an XProtect update, I still only have a version that was last updated almost a full week before the appearance of this malware. Hopefully, Apple will get on the ball soon, so that people who are using systems with XProtect, but without Gatekeeper, will be protected!

Tags: , ,


  • Al says:

    Intel only or Universal Binary (including PPC)?

    • Thomas says:

      Good question, since many of the machines running 10.5 and earlier may be PowerPC. Looks like it’s an Intel-only executable, so it shouldn’t run on a PowerPC Mac.

  • Lafa says:

    Hello I have the CleanMyMac 2 I have download from the and I have buy this product , can you please tel me Thomas this original downloading I have dow it’s not the malware version Lysa Myers from Intego talks?

    • Thomas says:

      MacPaw is the developer of CleanMyMac, so if you downloaded it from their site, you’re fine. Of course, you could also look for part of the payload if you’re not sure. In the Finder, choose Go -> Go to Folder. In the window that opens, enter “~/Library/LaunchAgents” (without the quotes) and click the Go button. In the window that opens, look for a file named “apple.launchd.plist” – if you find it, you’re infected. If you don’t, or if the Finder complains that the folder couldn’t be found, you’re fine.

  • Jay says:

    I’ve been trying and trying but opening those applications from the samples I have does not generate those files in LaunchAgents or the invisible app. XProtect is off, Little snitch disabled. Any suggestions?

    • Thomas says:

      No idea what’s going on there. Where did you get your samples? Are you sure they’re copies of the malware? Is this in your copy of Mavericks, or in Mountain Lion or earlier?

  • Jay says:

    This is in 10.8.3 and 10.8.4 VM’s. The samples are good as VirusTotal recognizes them when I upload. I extracted the from the package contents but can’t get the LaunchAgent item to generate. As the .app is the harmful part the launchagent item shouldn’t matter much but still wondering what’s going on, perhaps the C&C server can’t be found so the app does not generate it…

    • Thomas says:

      Which app are you testing? What’s the SHA-256, SHA-1 or MD5 of the sample you’re trying? The one that I’ve tested with has the SHA-256:


      I just re-tested that one and it still works as described, creating the invisible app and the LaunchAgent to keep it running. I haven’t, though, tested with the other to copies I’ve got (disguised as AppDeleter and CleanMyMac).

      • Jay says:

        That’s the same one I have. The app launches, asks to check for updates and move to Applications folder etc… then functions as normal without anything happening in the background. Maybe my copy is damaged somehow, will try to find another. Tnx for checking 🙂

This post is more than 90 days old and has been locked. No further comments are allowed.