We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

OSX/Crisis malware revealed as targeted attack

Published July 27th, 2012 at 7:06 AM EDT , modified July 30th, 2012 at 10:10 PM EDT

Over the last couple days, a lot more information about the malware Intego announced as OSX/Crisis has come out.  It has been discovered that it contains part of a commercial malware package called Remote Control System DaVinci, which is marketed primarily to governments and sells for 200,000 euros.  At this point, it appears to be a targeted attack, likely on the part of a Middle Eastern government and aimed at a group of Moroccan journalists who covered the Arab Spring revolution.

Intego revealed that it installs via a Java applet that uses social engineering tricks to install, much like other recent malware, like GetShell.  The Java applet also can apparently detect whether the system is Mac OS X or Windows and drop the appropriate malware, indicating that there must be a Windows component to this malware as well.  Intego also revealed their source, DefensiveLab, which in turn revealed that the infection had been found on the hard drive of a Moroccan journalist.

Sophos posted details on what this malware can do once installed, and it’s a frightening litany of spying.  It does more than I recall any other Mac malware ever being capable of, including recording through the Mac’s internal microphone and webcam and intercepting conversations in programs like Skype, Adium and MSN Messenger!  They also refer to this malware as Morcut, and leveled some mild criticism at Intego for the name “Crisis.”  Evidently, that name comes from the malware’s code, in such a way that it looks like the creator wanted it to be called “Crisis.”  The security industry apparently has an informal tradition of deliberately ignoring such names, as a kind of poke in the eye to the author of the malware, which Intego did not follow.

In all, this seems like just another targeted attack that the average Mac user will never need to worry about.  Since this malware is not a self-replicating virus, it’s extremely unlikely that it would get out of its creators control.  Unless you are part of a group that a large government might be interested in closely monitoring, you’re almost certainly safe from malware like this.

Tags: , , ,


  • Jim Cooper says:

    My Mac was hit July 26th, 2012, after I downloaded a Java
    applet offered by Scottrade to see stocks in real time. Since the 27th, the Mac is almost unresponsive. I copied the SophosAV to a cd and slid it into the Mac. Things are a little better, but still got a mjor problem.

    Is there a specific way the AV cd should be loaded/run?


    • Thomas says:

      There’s no need to put Sophos on a CD… You simply download it from the Sophos website, open the .dmg file that you get and run the installer (the .pkg file that looks like a box). However, I doubt you have malware. From the sounds of it, you may have simply downloaded a bad app that is causing performance problems. See my Mac Performance Guide.

  • Jim Cooper says:

    Well, I followed your Mac Performance Guide and Eureka!, “invalid node structure on the Mac HD”.

    Thank you for being there for me.


  • Jim Cooper says:


    After finding that the Mac HD was in need of repair, "invalid node structure", I went to Apple and had them re-start with a different start-up disk. They could not repair the HD. Are there other low cost repair options or do I buy a new hard drive?
    ($230.00 installed by Apple, probably re-conditioned, but double the GB's, 500 instead of current 250.)


  • Femi says:

    Hello Thomas,

    My MacBook has been attacked by a potential malware since August 1 which I’ve been struggling to get out. When using Firefox or Safari, my webpages get hijacked and diverted to a particular site which looks like domain parking.

    I ran SophosAV but its detected nothing. I’ve cleared cache and cookies repeated and that works for a little bit, then the hijack resumes. I’ve searched for Flashback and its detected nothing.

    How can you help as its doing my head in?



  • Femi says:

    To add, it seems to be hijacking the site certificates of my websites. This is what I saw when I tried to log into my Gmail uses an invalid security certificate.

    The certificate is only valid for

    (Error code: ssl_error_bad_cert_domain)

This post is more than 90 days old and has been locked. No further comments are allowed.