The new sample use the same Word vulnerability, CVE-2009-0563, patched by Microsoft on June 9th, 2009. It drops a backdoor for PowerPC and Intel Macs that masquerades as a Real Player Updater, just like another variant seen on VirusTotal on February 19th, 2013. When triggered, it seeks persistence using launchd and can even relaunch itself with superuser privileges, abusing sudo command and its grace period.
The malicious binary is a port of Tiny SHell for OS X. It also sends the infected user's Contact information, the AddressBook "Me" card, to its C&C server (this behavior require user interaction since the introduction of OS X Mountain Lion's new Privacy features).
All these facts indicate the attack is specifically targeting people:
- using OS X prior to Mountain Lion;
- using Microsoft Office 2004 prior to 11.5.5 update or;
- using Microsoft Office 2008 prior to the 12.1.9 update;
- eventually comfortable with Terminal application.
The various samples we are aware of create the following files:
- ~/Library/Application Support/.realPlayerUpdate
- /Library/Application Support/.realPlayerUpdate
They contact the following hosts:
They all encrypt their communications with the C&C server with the same AES key: 12345678. Once again, Intego Virus Barrier users with up-to-date definitions will detect this threat.