Malware + Security News

New OSX/Crisis Variant Invokes Pope Francis

Posted on January 20th, 2014 by

A new sample of OSX/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab during the weekend. We currently do not have information about the origin of the file on VirusTotal, named "Frantisek," but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis?

Like the previous variants, OSX/Crisis.C is delivered through a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, Hacking Team has updated some of the dropper code and the backdoor configuration file format.

The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program. For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.

Following is a screenshot of the resolved symbols hash of the dropper in IDA:

OSX/Crisis.C - screenshot of the resolved symbols hash of the dropper in IDA

When the dropper runs successfully, it hides the following files in the user's home directory (in the Library/Preferences folder), inside a fake application bundle called OvzD7xFr.app:

Then it executes the backdoor and finishes the installation by creating a LaunchAgent file, com.apple.mdworker.plist.

Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer. It doesn't run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an "Image not found" exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).

Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit.

At the time of this writing, the overhaul detection rate on VirusTotal is very low.

Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.C.

  • Jay

    10.8 is not mentioned. Can we assume it works in 10.8 as it does in 10.7?

  • Usergnome

    What is the prognosis for removing this? I did an internet restore and it came back. (Which restores to lion) Wen t nitially dropped it ran an install boot and and then tied to launch somhting called browsers.appwh ich it reported as broken. Assuming hat there is nothiing on the machne that needs to be saved, how would you proceed?

    • Bits

      Ok I’m not a computer expert, but I’ve had 4 specialists now look at my system and try to get rid of whatever/ whoever ( I have idea who is doing) it is but unsuccessfully. We’ve totally wiped everything without reinstalling anything, new router, modem, ran through a high tech security scan, came out clean but nope . Everything described in this article is true to my situation. ( someone from F-Secure suggested I check it out because they thought this could be it) except I AM on mavericks 10.9.3 here’s the thing, I’m almost certain, the company doing this , illegally, is a monitoring company for law enforcement. Being the FBI, Secret Service and such so they’d hAve extremely advanced technology. I have proof of illegal access to all my accts linking to this company.i have all spoofed certificates . Yet NO ONE, not LAPD, FBI, my congressman, even called the ACLU no one does anything about it. I’m trying to get in touch with the head of any major security company as I’m told this May be something new. Where and how does an average, everyday girl report such a thing? This usually happens to banks , or people of interest. You see I worked for a company and am suing them for 2 different claims. Well it turns out one if the owners of this company happens to be Affiliated with The monitoring company I trace all my info to. He also owns a HUGE technology company called Metro Media/ part if sprints towers and much more . I happen to have too much information about this company and federal laws they’ve broken.
      So here I am unable to do anything, I can’t run most programs as the certificates or however their doing it seems to decide where the do and don’t allow me to go and what I do and don’t download . And when I do download antivirus protection it isn’t the real program .
      What now ?

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}