Mac malware signed with Apple ID infects activist’s laptop

KITM_launchpoint-640x482by Dan Goodin

Stealthy Mac OS X spyware that was digitally signed with a valid Apple Developer ID has been detected on the laptop of an Angolan activist attending a human rights conference, researchers said.

The backdoor, which is programmed to take screenshots and send them to remote servers under the control of the attackers, was spread using a spear phishing e-mail, according to privacy activist Jacob Appelbaum. Spear phishing is a term for highly targeted e-mails that address the receiver by name and usually appear to come from someone the receiver knows. The e-mails typically discuss topics the two people have talked about before. According to AV provider F-Secure, the malware was discovered during a workshop showing freedom of speech activists how to secure their devices against government monitoring.

The malware was signed with a valid Apple Developer ID allowing it to more easily bypass the Gatekeeper feature Apple introduced in the Mountain Lion version of OS X. If it’s not the first time Mac malware has carried such a digital assurance, it’s certainly among the first. Both F-Secure and Appelbaum said the backdoor, identified as OSX/KitM.A, is new and previously unknown. For its part, AV provider Intego said the malware is a variant of a previously seen trojan known as OSX/FileSteal. Intego continued:

The backdoor itself is, like previous variants, very basic in functionality. It copies itself to the User’s home folder (whereas the original variant copied itself to the /Applications folder) and adds itself to the user’s login item to be launched on every startup. It does this using the same Applescript as used by the original OSX/FileSteal.A variant. The backdoor silently takes screenshots of the affected user’s machine, which are put in the ~/MacApp folder. The threat then sends collected screenshots in PNG format to one remote website, and it sends other collected user info to another, separate site. The various sites used by the backdoor are not responding at this time.

Read More Here