But before we go into details, let’s start with a quiz:
- The Dalai Lama walks into an Apple Store. Why?
A possible answer is, “to buy one of the new MacBook Pro’s with the Retina display!” (speaking of which, I would very much like to buy one of those as well, but it’s kind of difficult to justify the hit to the family budget)
Joke aside, actually Dalai Lama is a well known Mac user. Here’s a photo of him using a Mac during a conf call:
Perhaps it is no surprise that we are seeing an increase in the number of APT attacks against such high profile users using Mac’s.
On June 27th, we’ve intercepted a new wave of APT attacks targeting certain Uyghur Mac users.
The e-mails have a ZIP file attached. Inside the ZIP file, there’s a JPG photo and a MacOS X app:
MD5 ( “matiriyal.app/Contents/MacOS/iCnat” ): e88027e4bfc69b9d29caef6bae0238e8
When executed, it installs itself in the system and connects to its Command and Control server to get instructions. The backdoor allows its operator to list files, transfer files and generally, run commands on the infected machine.
As usual, although some of the comments and debug info are in English, they contain common mistakes:
- “Recieve” instead of “Receive”
- “os verison” instead of “os version”
- “memery” instead of “memory”
The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size. The configuration block is obfuscated with a simple “substract 8” operation.
Once decrypted, the command and control server address can be read: 61.178.77.*, located in China:
With Macs growing in popularity and their increased adoption by high profile targets, we expect the number of MacOS X APT attacks will also grow. Previous attacks used MS Office exploits (Exploit.MSWord.CVE-2009-0563.a.); the one described here relies on social engineering to get the user to run the backdoor. Just like with PC malware, a combination of exploits and social engineering tricks are generally the most effective; it won’t be surprising to see a spike in such attacks soon.
Update [30 Jun 2012]: AlienVault posted a description of the Windows counterpart of the backdoor used in this attack. You can read their analysis here.