A new Macintosh malware is making the rounds.
For the first half of 2012, we have seen an increase in the number of Mac-based threats: variant OSX.Flashback.K appeared, newly discovered OSX.Sabpab, and OSX.Macontrol with a new variant.
As we begin the second half of 2012, we would like to introduce you to a new instance of Mac malware: OSX.Crisis.
OSX.Crisis is a Trojan that installs a back door on compromised OSX systems. At the time of writing, we are not seeing this threat in the wild. We believe that the infection vector may rely primarily on social engineering to be installed and at this point in time there is no reason to believe there is a vulnerability being used in conjunction with the threat. One possible method of installation is through brand recognition like popular trademarks to compel users to install the malware.
When this back door is installed, it can monitor the following programs:
- Mozilla Firefox
- MSN Messenger (for Mac)
Figure 1. Adium monitoring example
Figure 2. Mozilla Firefox monitoring example
Figure 3. Skype monitoring example
Figure 4. Keylogging functionality
The malware can perform the following actions:
- Record traffic on MSN Messenger (for Mac) and Adium
- Record Internet usage on Safari or Mozilla Firefox
- Capture or record Skype sessions
- Send confidential information to a command-and-control (C&C) server through a back door (18.104.22.168x) and receive commands
It also creates the following directories and files:
It definitely appears to be an advanced threat in function but, because we do not see the infection vector in the wild at the time of this blog, the spread is low at the moment. Symantec has protection in place for OSX.Crisis with Norton 360 Everywhere, Norton One, and Norton Internet Security for Mac. Our Symantec Endpoint Protection and Symantec Endpoint Protection Small Business Edition products also offer the necessary protection. Users of our Norton AV products are encouraged to update their definitions.
Thanks to Intego who shared these samples with us.