English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

New malware for Mac: Backdoor.OSX.Morcut

Sergey Golovanov
Kaspersky Lab Expert
Posted July 26, 13:31  GMT
Tags: Apple MacOS
0.5
 

Yesterday lots of antivirus labs got a sample of the new antivirus program targeting MAC OS X users. This sample named Backdoor.OSX.Morcut was distributed using social engineering techniques via a JAR file with the name AdobeFlashPlayer.jar and allegedly signed by VeriSign Inc.



Notification from the JAVA virtual machine about the launch of the untrusted applet

If the user allows the JAR file to run, it creates the executable file payload.exe (993,440 bytes) in a temporary folder ~spawn[selection of numbers].tmp.dir and launches it.



The section of the JAR file code responsible for saving the MAC OS X malicious program on to disk and launching it

Once it is launched, the malicious program initializes its components and passes control to them. The components include:

  1. The installer, the management server communication module (mach-o file for x86, 401,688 bytes in size). It checks for the presence of the autorun file Library/LaunchAgents/com.apple.mdworker.plist and files containing stolen data named *.flg.
  2. Rootkit (mach-o file, driver for x86, 14,724 bytes in size, with the internal name ‘mchook’). It is responsible for hiding files and processes in the system
  3. Rootkit (similar to the previous one but for x64).
  4. Spyware (mach-o file for x64, 365,564 bytes in size). Responsible for working with Firefox, Safari, Skype, Adium. Captures keystrokes and the position of the cursor when the mouse is clicked, captures clipboard content, audio streaming and videos on the screen.
  5. Spyware (similar to the previous one but for x86, 93,048 bytes in size).
  6. Autorun file (mach-o file for x64, 24,808 bytes in size). Responsible for module communications.
  7. Autorun file (similar to the previous one but for x86, 24,100 bytes in size).



Section of the spy module code used for encrypting stolen data and connecting to the C&C server



Section of the spy module code used for capturing keystrokes and mouse clicks

The functionality of these modules can vary slightly depending on whether the user has administrative rights or not. A request for the user password is not made.

These modules were written professionally, obviously with the intention of being used widely in the future. From the code we can see that the cybercriminals developed this Trojan in order to sell it on hacker forums. It is quite possible that in the near future this Trojan may become another ZeuS – in terms of both popularity and the number of botnets.

PS 1. KSN has not yet recorded any infections caused by this malicious program.

PS 2. This malware could be placed not on black market but on white for law enforcement agencies.


6 comments

Oldest first
Threaded view
 

piotr

2012 Jul 27, 12:46
-1
 

Cybercriminals? ZeuS?

This "Morcut" is nothing else than HackingTeam's Remote Control System (see http://www.hackingteam.it/) and no, it's not being used in any APT, it's used for legal phone (and PC) tapping, authorized by magistrates in civil countries. And no, it's not being sold on underground forums, it's only sold to police forces.

Well, at least I see you don't lack of fantasy when reversing code. :)

Reply    

Sergey Golovanov

2012 Jul 27, 14:43
0
 

Re: Cybercriminals? ZeuS?

Well on 3rd picture you can see "demo marker" so it should be definitely placed on some market + in samples we can see some old virus techniques (like playing with ESP and so on) so it could be created by real malware writers. As a result I decided to talk about hacking forums and cyberunderground.

I will look farther for trying to find more info about this case. Thank you for your comment...

Reply    

qqq

2012 Jul 27, 16:39
-1
 

Re: Cybercriminals? ZeuS?

stop spreading BS and making up stories based on zero evidences.. of course the product is being sold to someone, somewhere.

You didn't just decided to talk about cyberunderground you wrote "From the code we can see that the cybercriminals developed this Trojan in order to sell it on hacker forums".. so what's the evidence?

"playing with ESP"?? WTH are you trying to prove here? Using known tricks to evade emulation or confuse analysts again does not prove anything about it being developed by cybercriminals or being sold on forums.

Reply    

Sergey Golovanov

2012 Jul 30, 14:54
0
 

Re: Re: Cybercriminals? ZeuS?

Sorry but what's the evidence that this sample was created by hackingteam? Why this sample is self spreading via autorun? Why there are stings in French? Why sample was founded outside EU?

I see evidence that this sample is selling to many people and I can't see any evidence that this people are from police.

Reply    

Marta Janus

2012 Jul 30, 15:47
0
 

Re: Re: Cybercriminals? ZeuS?

It's clearly a Trojan with rootkit and spyware functionality. What difference does it make (at least, from the AV industry point of view) if it's being used by police or by cybercriminals? It's a malware after all.
And even if it's used by police, it always may leak or might have leaked to the "underground forums" as well.
And if it's used by gov, it doesn't necessarily mean that it's not being used for targeted attacks...

Reply    

paTHogen

2012 Aug 24, 17:55
0
 

exlnt synopsis

Good work on the analysis sergey, you've obviously hit the nail on the head as the hackers who brewed this code are upset that their attempts at marketing a govt toolkit are getting exposed from their roots. always enjoy your blog posts. thx

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog