Mac OS X, Windows Backdoors Used in New APT Attacks

Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:31:56


A new Mac OS X backdoor variant has begun making the rounds online, targeting a Turkic ethnic group in central Asia, according to a post on Securelist’s blog earlier today.

Researchers intercepted an advanced persistent threat (APT) campaign earlier this week that was targeting Uyghur Mac users, according to the analysis by Kaspersky Lab senior security researcher Costin Raiu.

Victims of the attack received an email with a zip file ( with a JPG file and an OS X application attached. If opened, the application will launch a new variant of the MaControl backdoor, connect to its command and control (C+C) server and allow the attacker to run commands on the infected computer and access its files.

Researchers appear to have traced the C+C server to an IP address in China.

Similar to Kaspersky Lab’s discovery, AlienVault Labs claims to have found another backdoor, this one affecting Windows users. Transmitted through email, the attack also includes a zip file – along with a Winrar file. The file extracts a binary that goes on to copy itself but not before dropping a DLL file on the system. After its injected, the DLL file appears to help initiate Gh0st RAT, a well-known remote access tool. Gh0st RAT was served up by Amnesty international’s website just last month and has been used in other targeted attack campaigns in recent years.

Other variants of Gh0st RAT were recently installed on computers, following a spear phishing campaign involving nongovernmental organizations that support the Central Tibetan Administration.

Much like the Flashback Trojan earlier this year, another type of Mac malware, SabPub, took aim at Mac users in April after it exploited the same Java security hole.