Jacob Appelbaum was delivering a talk on how dissidents can protect themselves. During the process he discovered a backdoor infecting the Mac computer of an Angolan dissident.
Appelbaum hasn’t yet expanded on the detail of what he discovered, but says he intends to. “The Angolan activist was pwned via a spear phishing attack - I have the original emails, the original payload and an updated payload,” he subsequently tweeted. First, however, “I have to talk to the target about some details as their life is likely in danger. :(“.
The malware in question, which F-Secure has dubbed Backdoor: OSX/KitM.A, doesn’t appear to be a threat to the wider Mac community. Firstly it seems to be highly targeted (in this incident, a specific Angolan dissident); and secondly because its signature is rapidly being included into all of the major anti-virus detection engines.
F-Secure is currently analyzing the malware and has published initial findings in its blog. One disturbing element is that it got through Apple’s much-vaunted built-in security because it was signed with an Apple Developer ID – meaning that Gatekeeper opened the gate and let it in. Gatekeeper “helps protect users from downloading and installing malicious software,” says Apple. “Signing your applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that they are not known malware and have not been tampered with.” The corollary, of course, is that signed software is allowed in even if it is malware. Apple has now revoked that particular Developer ID.
The malware itself takes screenshots and stores them in a folder called MacApp. “There are two C&C servers related to this sample,” says F-Secure. One of the IPs is registered in the Netherlands, and the other, according to F-Secure is in France (although ip-adress.com traces it to Ireland). One of the addresses doesn’t resolve, and the other denies public access.
Users who are concerned that they may be infected can simply look for the malware (macs.app) and the folder it creates (MacApp) and remove them since it makes no attempt to hide itself. In one sense, this makes it rather naive malware, but “The problem is that the author was good enough to get someone into mortal danger. Lame but deadly,” tweeted Appelbaum.