Kaspersky’s Costin Raiu reports that a variant of the MaControl backdoor Trojan is being used in an APT (Advanced Persistent Threat) attack targeting Uyghur human rights activists. (The Uyghurs are a Turkic ethnic group living in Eastern and Central Asia, and mostly living in the Xinjiang Uyghur Autonomous Region, part of China, though there are also smaller populations in Kazakhstan andKyrgyzstan.
Kaspersky detects it as “Backdoor.OSX.MaControl.b”: hopefully the company won’t object to my citing the MD5 value of the binary “matiriyal.app/Contents/MacOS/iCnat”, (e88027e4bfc69b9d29caef6bae0238e8) and reports that the Command and Control server IP address is located in China.
AlienVault Labs reports seeing similar mails (as detailed in their report) that reference the same IP address but implement a Windows-specific attack using Gh0st RAT, a tool previously associated with APT attacks on ‘Tibetans, Uyghurs and other groups on the ASEAN zone.’
Information from VirusTotal on the binaries cited by AlienVault:
File size: 107.4 KB ( 109955 bytes )
File name: matiriyal.exe
File size: 92.0 KB ( 94208 bytes )
File name: 1.exe.dr
File size: 73.5 KB ( 75264 bytes )
File name: kbdmgr.dll.dr
More or less by definition, APTs are highly targeted, so it’s unlikely that these binaries will turn up in your mailbox or mine. However, the fact that the attackers considered it worthwhile to target both Windows and OS X does suggest that Mac users have taken another reluctant step into the ugly world of the potential victim of malware.
John Leyden’s story here also refers…
David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus