Mac Malware With Apple Developer ID ‘Likely Government Sponsored’

Apple infection - Shutterstock - © Makhnach_S

The sneaky Janicab malware is likely targeting activists in Kazakhstan and Russia

Malware targeting Apple Mac systems signed with an official developer ID has emerged, and is thought to have been sponsored by a nation state.

The content of emails delivering the Janicab malware point to PDFs offering “recent news”, and the decoy files actually seen by targets contain rhetoric against Kazakhstan president Nursultan Nazarbayev. It therefore appears a government is backing the attacks, according to security experts.

This is only the second known case of Mac malware signed with an Apple Developer ID, Sean Sullivan, F-Secure security advisor, told TechWeekEurope. In May, a backdoor was discovered on a Mac belonging to an activist from Angola, which was also signed with an Apple Developer ID.

“As both of these cases appear to be targeted attacks against activists, it is also likely that they’re government sponsored – and so faking the needed identity info may not be such a difficult task,” Sullivan added.

Mac malware avoiding detection

The Mac malware is doing some smart things to avoid detection too, outside of using the Apple developer ID that makes it look like a sanctioned application, F-Secure found.

The Janicab backdoor uses something called right-to-left override (RLO), an encoding method that can be used to hide the real extension of executable files, which could help bypass anti-virus systems or fool users into believing it is legitimate.

RLO is a character within unicode designed to support languages that are read right to left, but can be used to alter the extension of a file. It is a common trick used by Windows malware like Bredolab and Mehdi, but has never been seen before affecting Macs.

With the Mac malware, the RLO character changes the malware file name from  RecentNews.fdp.app to the more innocent looking RecentNews.ppa.pdf. But the OS X system picks up on this and still displays the correct extension, partly helping the user avoid infection:

Apple quarantine pdf

Yet the quarantine notification from OS X is also turned on its head by the RLO, which could certainly bamboozle users:

Apple quarantine notification

The malware itself, written in Python, appears to be used for surveillance on activists either in Kazakhstan or Russia. It takes screenshots and records audio, sending the data to a command and control server.

As the malware executes, a decoy file appears, containing what appears to be the V for Vendetta mask used by the hacktivist collective Anonymous and a polemic condemning the regime in Kazakhstan, labelling it a dictatorship. The decoy file also seems to be related to a Kazakh businessman and a Russian opposition party.

“Some Russian dissidents [are the target] would be my guess,” Sullivan added. “A category I haven’t really seen before, using Mac.”

Late last year, Mac malware was seen targeting supporters of the Dalai Lama, a significant figure in Tibetan Buddhism.

As an extra worry for Mac users, traditional Windows threats are increasingly appearing on Apple machines. Malwarebytes yesterday confirmed the discovery of FBI ransomware for Mac, which demanded victims pay $300 to unlock their computer.

What do you know about Internet security? Find out with our quiz!