New Mac spyware found at freedom conference
Published May 17th, 2013 at 6:42 AM EDT , modified May 21st, 2013 at 12:38 PM EDT
F-Secure announced yesterday the discovery of a new piece of Mac malware, which was discovered at the annual Oslo Freedom Forum on a freedom of speech activist’s computer. This malware, which they are calling OSX/KitM.A, appears to take screenshots about every 20 seconds, and presumably (though they did not say this outright) uploads them to a remote server. Most interestingly, this malware is signed with an Apple Developer ID!
According to tweets by the discoverer of the malware, Jacob Appelbaum, the malware infected its victim through a targeted “spear phishing” attack, utilizing an e-mail message containing the payload. He also says that Apple has informed him that they have revoked the certificate used for signing the malicious app, so future infections won’t be possible using that Developer ID.
Also interesting is the fact that Sean Sullivan, from F-Secure, has said that this appears to be related to something called “HackBack.” I have never heard of HackBack, and the only reference to it that I can find is a page from Sophos’s site from a year ago describing it. As far as I know, and as far as a Google search would seem to indicate, it was never announced publicly.
I’m sure that more details will be coming soon. I’ll keep everyone posted!
5/17/2013 7:41 am EST: I got my hands on a sample and tested it in a virtual machine. It works just as described in F-Secure’s post. Interestingly, though, the app opened just fine, with just the standard warning that it had been downloaded from the internet. If Appelbaum is actually correct that Apple revoked the Developer ID, my system was not aware of that. It will be interesting to keep an eye on that. I’ve never actually seen another case of Apple revoking a Developer ID, so I’m not sure exactly how the revocation works on the user’s end.
5/17/2013 11:51 am EST: Intego has just chimed in on the topic, calling this malware a new variant of OSX/FileSteal. This makes matters slightly clearer. FileSteal was quietly added to Apple’s XProtect definitions back in January of 2012, completely puzzling a group of other amateur security researchers that I’m a part of. There is still no documentation to be found online as to what FileSteal might be, but evidently it is what Sean Sullivan is calling HackBack. Still no details on that, but an additional name gives more to work with, so I’ll keep digging. Interestingly, although Intego says this new malware is FileSteal, it was not blocked by XProtect, so it must be different enough that Apple’s definitions don’t catch it.
5/18/2013 9:10 am EST: After sending a copy of the KitM malware to Apple, I heard from an Apple representative last night, and they said that they have revoked the certificate for that Developer ID on the 16th. However, on testing that app again this morning, it still opens just fine, with only the standard warning for an app downloaded from the internet. There is no sign that the app’s certificate has been revoked. I’m not trying to claim that Apple isn’t telling the truth, but clearly there’s something about the revocation process that isn’t being picked up by my machine (at least) two days later. That’s a fairly significant security issue. When Apple revokes a certificate like this, that should block the app from being opened on end-user machines as close to immediately as possible!
5/21/2013: I’ve been extremely busy the last couple days, but tested this again yesterday, and it finally was blocked. I could not longer open the app at all, and was told that it could not be opened and needed to be moved to the trash. I’m not sure why it took so long for that certificate revocation to be picked up by my test system, but I’m glad to see it finally stopped working!