Posted by: David Harley | June 30, 2012

The Mac APT Store is now open

Kaspersky’s Costin Raiu reports that a variant of the MaControl backdoor Trojan is being used in an APT (Advanced Persistent Threat) attack targeting Uyghur human rights activists.  (The Uyghurs are a Turkic ethnic group living in Eastern and Central Asia, and mostly living in the Xinjiang Uyghur Autonomous Region, part of China, though there are also smaller populations in Kazakhstan andKyrgyzstan.

Kaspersky detects it as “Backdoor.OSX.MaControl.b”: hopefully the company won’t object to my citing the MD5 value of the binary “matiriyal.app/Contents/MacOS/iCnat”, (e88027e4bfc69b9d29caef6bae0238e8) and reports that the Command and Control server IP address is located in China.

AlienVault Labs reports seeing similar mails (as detailed in their report)  that reference the same IP address but implement a Windows-specific attack using Gh0st RAT, a tool previously associated with APT attacks on ‘Tibetans, Uyghurs and other groups on the ASEAN zone.’

Information from VirusTotal on the binaries cited by AlienVault:

SHA256: 1f516b10a749c7e1625469d8905393e298f7504be6b56534b195f72640a7638a
SHA1: 90cbc8fae1b07a13b42e39e14e5289e5df105c27
MD5: 379d6eec27dac7617d4057913a395cda
File size: 107.4 KB ( 109955 bytes ) 
File name: matiriyal.exe

SHA256: 1e0ae243e5bb091be07a10ebb246f355e50d6627b64ea0ee4845c588ac97bffb
SHA1: 7b5f2c493938ed77f8b8e8839419540d3f7a0c93
MD5: f0998e632b22a528459b1dc6ad87a8a1
File size: 92.0 KB ( 94208 bytes ) 
File name: 1.exe.dr

SHA256: e6012b7c340841b4725ab3c619e3d0b274cc11565526d91b8a639a7ae93bce60
SHA1: ba65c5be4e2d3afe2df86a89b210e6714ccbf1eb
MD5: 5f39c5e8decd884cf8acea0b6d5f7e35
File size: 73.5 KB ( 75264 bytes ) 
File name: kbdmgr.dll.dr

More or less by definition, APTs are highly targeted, so it’s unlikely that these  binaries will turn up in your mailbox or mine. However, the fact that the attackers considered it worthwhile to target both Windows and OS X does suggest that Mac users have taken another reluctant step into the ugly world of the potential victim of malware.

John Leyden’s story here also refers…

David Harley CITP FBCS CISSP
Small Blue-Green World/Mac Virus

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: