We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Mac spyware found at freedom conference

Published May 17th, 2013 at 6:42 AM EDT , modified May 21st, 2013 at 12:38 PM EDT

F-Secure announced yesterday the discovery of a new piece of Mac malware, which was discovered at the annual Oslo Freedom Forum on a freedom of speech activist’s computer. This malware, which they are calling OSX/KitM.A, appears to take screenshots about every 20 seconds, and presumably (though they did not say this outright) uploads them to a remote server. Most interestingly, this malware is signed with an Apple Developer ID!

According to tweets by the discoverer of the malware, Jacob Appelbaum, the malware infected its victim through a targeted “spear phishing” attack, utilizing an e-mail message containing the payload. He also says that Apple has informed him that they have revoked the certificate used for signing the malicious app, so future infections won’t be possible using that Developer ID.

Also interesting is the fact that Sean Sullivan, from F-Secure, has said that this appears to be related to something called “HackBack.” I have never heard of HackBack, and the only reference to it that I can find is a page from Sophos’s site from a year ago describing it. As far as I know, and as far as a Google search would seem to indicate, it was never announced publicly.

I’m sure that more details will be coming soon. I’ll keep everyone posted!


5/17/2013 7:41 am EST: I got my hands on a sample and tested it in a virtual machine. It works just as described in F-Secure’s post. Interestingly, though, the app opened just fine, with just the standard warning that it had been downloaded from the internet. If Appelbaum is actually correct that Apple revoked the Developer ID, my system was not aware of that. It will be interesting to keep an eye on that. I’ve never actually seen another case of Apple revoking a Developer ID, so I’m not sure exactly how the revocation works on the user’s end.

5/17/2013 11:51 am EST: Intego has just chimed in on the topic, calling this malware a new variant of OSX/FileSteal. This makes matters slightly clearer. FileSteal was quietly added to Apple’s XProtect definitions back in January of 2012, completely puzzling a group of other amateur security researchers that I’m a part of. There is still no documentation to be found online as to what FileSteal might be, but evidently it is what Sean Sullivan is calling HackBack. Still no details on that, but an additional name gives more to work with, so I’ll keep digging. Interestingly, although Intego says this new malware is FileSteal, it was not blocked by XProtect, so it must be different enough that Apple’s definitions don’t catch it.

5/18/2013 9:10 am EST: After sending a copy of the KitM malware to Apple, I heard from an Apple representative last night, and they said that they have revoked the certificate for that Developer ID on the 16th. However, on testing that app again this morning, it still opens just fine, with only the standard warning for an app downloaded from the internet. There is no sign that the app’s certificate has been revoked. I’m not trying to claim that Apple isn’t telling the truth, but clearly there’s something about the revocation process that isn’t being picked up by my machine (at least) two days later. That’s a fairly significant security issue. When Apple revokes a certificate like this, that should block the app from being opened on end-user machines as close to immediately as possible!

5/21/2013: I’ve been extremely busy the last couple days, but tested this again yesterday, and it finally was blocked. I could not longer open the app at all, and was told that it could not be opened and needed to be moved to the trash. I’m not sure why it took so long for that certificate revocation to be picked up by my test system, but I’m glad to see it finally stopped working!

Tags: , , , ,


  • MsGwennie says:

    Thank you for this information,

    Is there anyway to check you have it please?

    • Thomas says:

      I’m not sure I understand the question…

      • MsGwennie says:

        Sorry Thomas, I mean is there any way to know if a person has it on their machine?

        • MsGwennie says:

          Thomas no need to reply, thank you, I have received an answer in Apple Discussion Communities, cheers

        • Thomas says:

          Ahh, I understand now! Seems obvious in retrospect… 🙂 Well, even though you’ve found your answer, note that the link to F-Secure’s article on the topic has a complete description of what is installed where.

  • Someone says:

    You said “on testing that app again this morning, it still opens just fine, with only the standard warning for an app downloaded from the internet.” I’m assuming that means – and you can correct me if I’m wrong – that Gatekeeper didn’t catch it.

    So, how do Gatekeeper definitions get updated? Is it an automatic process, or does a user have to manually update software to get new definitions?

    • Thomas says:

      Gatekeeper didn’t stop it because the app is signed with a Developer ID. However, that Developer ID was supposed to have been revoked, so it should end up being blocked. I haven’t had a chance to check it yet today, so I’m not sure whether or not that is still the case. If I get time tonight, I’ll check it again.

  • Someone says:

    And also, will this HackBack/FileSteal/KitM thing be added to your Mac malware guide?

    • Thomas says:

      Yup. I’m not sure exactly how, yet, though. Some AV companies are calling all of these by the same name (eg, FileSteal.A, FileSteal.B) and others are calling them by different names (eg, HackBack.A, KitM.A). I want to do a little more research before I decide whether to add it as two different entries or only one.

  • Taavi says:

    Thank you for the information !
    Yesterday I scanned my MacBook with Sophos and it said 1 threat found. How can I know what kind of threat was it? I did not find any logs about it. I told Sophos to delete it though.
    I hope it wasn’t OSX/KitM.A.
    I’d also like to thank you for doing this site. Security is very important to me. I also use Mac OS X Leopard, which now is unsupported and now I use Mac OS X Lion, which is luckily still supported, but my MacBook cannot run Mountain Lion and I don’t have any free money to spend on a new Mac to run the latest OS. I’d really appreciate it if you gave us tips of how to secure your unsupported OS too. Not everyone can run the latest operating system.

    • Thomas says:

      When Sophos detects malware, it always shows you what files were identified as malware and what malware they were identified as. If you did not take note of that, go to the Logging pane of Sophos’ preferences window and view the log to see what it was. Most likely, it was simply Windows malware that had gotten onto your hard drive somehow.

      As for securing a Leopard (or older) system, I would consider anti-virus software to be essential. Since you’re already running Sophos, you should be covered. Of course, you will need to be cautious of what you download, should keep Java turned off in your web browser, etc… all the normal precautions I talk about in my Mac Malware Guide.

  • Erika says:

    How can one become affected with this malware?

    • Thomas says:

      Well, you can’t at this point. But before its certificate was revoked, it seems that only people who were directly targeted got infected, by downloading it or installing it after receiving a personally-targeted phishing e-mail.

This post is more than 90 days old and has been locked. No further comments are allowed.