Advanced malware that has been plaguing Windows users for the last five years has moved to target Apple Macs - exploiting a “dangerous sense of complacency” among IT departments that their Apple devices are more secure, says security firm FireEye.
The advanced (APT) backdoor, known as XSLCmd, is now being used by threat actors, including a group called GREF who, since 2009 or before, have targeted US defence companies, electronics and engineering companies worldwide, and foundations and other NGOs, especially those with interests in Asia.
FireEye's James Bennett and Mike Scott say in a 4 September blog that XSLCmd's switch from Windows to OS X is probably recent and that its discovery “is a clear indicator that APT threat actors are shifting their eyes to OS X as it becomes an increasingly popular computing platform”.
They warn: “Many people consider OS X to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users.
“In fact, while the security industry has started offering more products for OS X systems, these systems are sometimes less regulated and monitored in corporate environments than their Windows peers.
“Clearly as the OS X platform becomes more widely adopted across enterprises, threat groups like GREF will continue to adapt and find ways to exploit that platform.”
FireEye reports that the XSLCmd backdoor has been widely used in targeted attacks over several years. It has often been updated and now features a reverse shell, file listings and transfers, installation of additional executables, and an updatable configuration.
The OS X version also includes two new features not seen on Windows - key logging and screen capturing.
The malware can also ‘hide from more aware users via an installation routine that differs slightly depending on whether or not the process is running with ‘super-user' privileges, making it less obvious that the malware is running on the system.
FireEye's researchers also profile the GREF gang, describing them as “one of the few APT threat groups that does not rely on phishing as their primary attack method. They were one of the early adopters of strategic web compromise (SWC) attacks.”
GREF's past victims include the US Center for Defense Information, the National Defense Industrial Association, and satellite company Millennium Space Systems.
The researchers are not certain when the Mac variant was created. Recent activity like domain registrations “could hint at the possibility that this OS X port of XSLCmd was recently developed and deployed; however, this remains uncertain”.
Apple user complacency?
Commenting on the XSLCmd threat, UK cyber expert Graeme Batsman, security director of EncSec, shares FireEye's view that Apple Mac users are more certain of their security – sometimes justifiably.
He told SCMagazineUK.com via email: “Quite a lot of Mac users and some IT security specialists who use them do not even bother to install anti-virus. Sophos even offer it for free since it is hard to convince owners to pay.
“Mac owners for the past decade and today will tell you they are more secure. There is truth in this because the user base is far lower than Windows and typical users are in the media or graphics industry who may have less sensitive data than others.”
He added: “The move from Windows to Mac is a bit like the evolution of malware. Sending an EXE or SCR is obvious but sending a PDF or MS Word file is not. The bad guys are simply trying to go for the less protected kit. Large firms may be protecting Windows and leaving Mac quite open, hence why the attackers have changed tactic.”
Ben Densham, CTO at cyber security consultancy Nettitude, agreed, telling SCMagazineUK.com via email: “Attackers take the path of least resistance via systems that are likely to be less monitored. We see a lot of complacency within organisations who assume that Mac resilience to cyber breaches remains static. Using third-party applications to acquire escalated privileges or use a Mac as a pivot point to further targets is often overlooked by organisations.”
* Separately, FireEye has reported that a cyber espionage group called APT12, linked with the Chinese People's Liberation Army - and which carried out a notorious attack on the New York Times in 2012 - has launched a new campaign against targets in Japan and Taiwan.
FireEye says APT12 went to ground after Arbor Networks blogged about the group in June, but has now resurfaced to attack multiple Taiwanese government organisations between 22 to 28 August, using spear phishing to plant a Microsoft Word backdoor (CVE-2012-0158).
FireEye strongly suspects APT12 is also behind other attacks last month using the same backdoor against a technology company in Taiwan, a Japanese electronics firm and other organisations in the Asia-Pacific region of interest to China.
It says: “The new campaigns highlight the correlation between APT groups ceasing and re-tooling operations after media exposure, as APT12 used the same strategy after compromising the New York Times. Much like Darwin's theory of biological evolution, APT12 been forced to evolve and adapt in order to maintain its mission.”
APT12 has used the latest pause to adopt new backdoor tools but the researchers say: “Though public disclosures resulted in APT12 adaptations, FireEye observed only a brief pause in APT12 activity before the threat actors returned to normal activity levels.”