Malware + Security News

New Targeted Attack Against Uyghur Mac Users Has Been Hitting the News

Posted on April 26th, 2013 by

A new targeted attack against Uyghur Mac users has been hitting the news. The threat is similar to OSX/CallMe.A we reported earlier this year and is already detected by Intego VirusBarrier.

The new sample use the same Word vulnerability, CVE-2009-0563, patched by Microsoft on June 9th, 2009. It drops a backdoor for PowerPC and Intel Macs that masquerades as a Real Player Updater, just like another variant seen on VirusTotal on February 19th, 2013. When triggered, it seeks persistence using launchd and can even relaunch itself with superuser privileges, abusing sudo command and its grace period.

The malicious binary is a port of Tiny SHell for OS X. It also sends the infected user's Contact information, the AddressBook "Me" card, to its C&C server (this behavior require user interaction since the introduction of OS X Mountain Lion's new Privacy features).

All these facts indicate the attack is specifically targeting people:

  • using OS X prior to Mountain Lion;
  • using Microsoft Office 2004 prior to 11.5.5 update or;
  • using Microsoft Office 2008 prior to the 12.1.9 update;
  • eventually comfortable with Terminal application.

The various samples we are aware of create the following files:

  • ~/Library/Application Support/.realPlayerUpdate
  • ~/library/launchagents/.systm
  • ~/library/launchagents/apple.plist
  • ~/library/launchagents/realPlayerUpdate.plist
  • /Library/Application Support/.realPlayerUpdate
  • /library/LaunchDaemons/.systm
  • /library/LaunchDaemons/apple.plist
  • /library/LaunchDaemons/realPlayerUpdate.plist

They contact the following hosts:

  • alma.apple.cloudns.org
  • apple12.crabdance.com
  • update.googmail.org

They all encrypt their communications with the C&C server with the same AES key: 12345678. Once again, Intego Virus Barrier users with up-to-date definitions will detect this threat.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}