New Mac-malware uses a Apple Developer ID certificate

Posted: May 24, 2013 in IT Security News
Tags: , , , ,

Critical vulnerabilities in routers

New Mac-malware

Information security specialists say the discovered of new malware families previously identified spyware KitM for the operating system Mac OS X.

One of the new code appears to have been written in December 2012 and is intended for users in Germany.

KitM (Kumar in the Mac) is also known as HackBlack and is a kind of backdoor, which makes screenshots and sends them to a remote hacker’s server. It also opens the Shell-access to the infected computer, allowing you to perform different commands on it.

It is interesting to note that the last samples were KitM a valid certificate signed by Apple Developer ID, issued by Apple for some developer Rajinder Kumar. Also signed by a valid certificate of malware to bypass security tool Gatekeeper, present in Mac OS X Mountain Lion.

The first two samples of malicious programs detected by F-Secure, connected to the C & C-servers in the Netherlands and Romania. In turn, security vendor Norman Shark reports that the codes used for KitM kibershpionskoy of Operation Hangover. F-Secure reports that according to its analysis, KitM-active options were used for attacks in the period from December to February.

All identified KitM installers contained Zip-archives and represented executables Mach-O, and were disguised as Adobe PDF documents or Microsoft Word. Recently, it was necessary to spread malicious programs via email for users working with Windows.

Recent sample code also signed certificate Rajinder Kumar, which Apple last week annulled. However, this does not help those who have already received the malware on your computer, because the tool Gatekeeper verifies the certificate only once – the first run, then if Apple cancels a certificate, then Gatekeeper it will not matter.

Apple Developer ID
F-Secure – OSX/KitM (Kumar in the Mac)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s