KitM functions as a backdoor for hackers to access a compromised system, but it also takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server via that same link.
Last week, it was found to be lurking on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, after which it became clear that a long-standing and wide-ranging attack primarily against Pakistan and apparently emanating from India has been underway. Earlier in the week, new research showed that the campaign is farther flung than originally thought, and has been going on for at least two years. Two KitM samples found last week connected back to C&C servers hosted in the Netherlands and Romania, which Norman Shark was able to link back to the Operation Hangover attack infrastructure.
Now, F-Secure researchers have uncovered yet more KitM variants, used in targeted attacks between December and February and distributed via spear-phishing emails carrying .zip archives, the F-Secure researchers said in a blog post. These primarily targeted German-speaking victims and claimed to be delivering Christmas cards and the like.
“Though the spear phishing payloads are not particularly ‘sophisticated,’ the campaign’s use of German localization and the target’s name does indicate the attackers have done some homework,” the F-Secure researchers said.
All KitM strains are signed using an Apple Developer ID in the name of Rajinder Kumar, hence the name. The Developer ID has since been revoked by Apple.
To protect themselves, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, F-Secure advised.