OS X version of Windows backdoor spotted

A recently discovered backdoor aimed at Mac computers is likely wielded by a long-standing APT group that has previously been known to target US defense firms and organizations, electronics and engineering companies around the world, and non-government organizations with interests in Asia, say FireEye researchers.

The XSLCmd backdoor for OS X was first spotted when it was submitted to VirusTotal on August 10, 2014, and not one of the AV solutions it uses detected it as malicious.

Subsequent analysis by FireEye’s researchers showed that the malware’s code is based on that of its homonymous Windows counterpart that was first seen used in 2009, and has been used widely and extensively in the last couple of years.

“Its capabilities include a reverse shell, file listings and transfers, installation of additional executables, and an updatable configuration,” the researchers noted. “The OS X version of XSLCmd includes two additional features not found in the Windows variants we have studied in depth: key logging and screen capturing.”

Going through the malware’s code, the researchers had the impression that the rewriting and adding to the original code was done by another coder. Other changes they noted make them think that the OS X backdoor was created when OS X 10.8 was the latest, or the most common version of the OS in use, and that the coder made efforts to make the backdoor compatible with older OS X versions.

The group they believe is using the backdoor has been named by the researchers GREF, because it uses a number of Google references in their activities. Even though they have been known to use phishing emails to saddle targets with malware, GREF is one of the pioneers of the “watering hole” type of attacks.

Back in 2010, the group also used a lot of 0-day exploits to compromise web servers to gain entry to targeted organizations, as well as to turn sites into “watering holes.” And another thing to note is that they have never been too worried about masking their attacks.

“This threat group appears to devote more resources (than most other groups) in attempting to penetrate web servers, and generally, they make no attempt to obscure the attacks, often generating gigabytes of traffic in long-running attacks,” the researchers shared. “They are known to utilize open-source tools such as SQLMap to perform SQL injection, but their most obvious tool of choice is the web vulnerability scanner Acunetix, which leaves tell-tale request patterns in web server logs. They have been known to leverage vulnerabilities in ColdFusion, Tomcat, JBoss, FCKEditor, and other web applications to gain access to servers, and then they will commonly deploy a variety of web shells relevant to the web application software running on the server to access and control the system.”

Besides the XSLCmd Windows backdoor, the group has been known to use a variety of others, some unique to them and others popular with many threat actors.

This group has proven itself to be adaptable – using different tools and techniques as time went by – and this is their latest adjustment.

FireEye’s researchers believe that this latest discovery is an indication of OS X’ increased popularity across enterprises, and warns against the false sense of security and a dangerous sense of complacency that IT departments and users might feel when using Macs.

“In fact, while the security industry has started offering more products for OS X systems, these systems are sometimes less regulated and monitored in corporate environments than their Windows peers,” they pointed out.

Researchers looking for more technical details about the backdoor’s installation routine, configuration options, its C&C protocol, the IP addresses the group often uses, as well as list of files created by the malware on the target computer, can find them in the exhaustive original blog post.

More about

Don't miss