Advanced malware that has been plaguing Windows users for the last five years has moved to target Apple Macs - exploiting a “dangerous sense of complacency” among IT departments that their Apple devices are more secure, says security firm FireEye.
The advanced (APT) backdoor, known as XSLCmd, is now being used by threat actors, including a group called GREF who, since 2009 or before, have targeted US defence companies, electronics and engineering companies worldwide, and foundations and other NGOs, especially those with interests in Asia.
FireEye's James Bennett and Mike Scott say in a 4 September blog that XSLCmd's switch from Windows to OS X is probably recent and that its discovery “is a clear indicator that APT threat actors are shifting their eyes to OS X as it becomes an increasingly popular computing platform”.
They warn: “Many people consider OS X to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users.
“In fact, while the security industry has started offering more products for OS X systems, these systems are sometimes less regulated and monitored in corporate environments than their Windows peers.
“Clearly as the OS X platform becomes more widely adopted across enterprises, threat groups like GREF will continue to adapt and find ways to exploit that platform.”
FireEye reports that the XSLCmd backdoor has been widely used in targeted attacks over several years. It has often been updated and now features a reverse shell, file listings and transfers, installation of additional executables, and an updatable configuration.
The OS X version also includes two new features not seen on Windows - key logging and screen capturing.
The malware can also ‘hide from more aware users via an installation routine that differs slightly depending on whether or not the process is running with ‘super-user' privileges, making it less obvious that the malware is running on the system.
FireEye's researchers also profile the GREF gang, describing them as “one of the few APT threat groups that does not rely on phishing as their primary attack method. They were one of the early adopters of strategic web compromise (SWC) attacks.”
GREF's past victims include the US Center for Defense Information, the National Defense Industrial Association, and satellite company Millennium Space Systems.
The researchers are not certain when the Mac variant was created. Recent activity like domain registrations “could hint at the possibility that this OS X port of XSLCmd was recently developed and deployed; however, this remains uncertain”.
Apple user complacency?
Commenting on the XSLCmd threat, UK cyber expert Graeme Batsman, security director of EncSec, shares FireEye's view that Apple Mac users are more certain of their security – sometimes justifiably.