Malware targeting Apple Mac systems signed with an official developer ID has emerged, and is thought to have been sponsored by a nation state.
The content of emails delivering the Janicab malware point to PDFs offering “recent news”, and the decoy files actually seen by targets contain rhetoric against Kazakhstan president Nursultan Nazarbayev. It therefore appears a government is backing the attacks, according to security experts.
This is only the second known case of Mac malware signed with an Apple Developer ID, Sean Sullivan, F-Secure security advisor, told TechWeekEurope. In May, a backdoor was discovered on a Mac belonging to an activist from Angola, which was also signed with an Apple Developer ID.
“As both of these cases appear to be targeted attacks against activists, it is also likely that they’re government sponsored – and so faking the needed identity info may not be such a difficult task,” Sullivan added.
The Mac malware is doing some smart things to avoid detection too, outside of using the Apple developer ID that makes it look like a sanctioned application, F-Secure found.
The Janicab backdoor uses something called right-to-left override (RLO), an encoding method that can be used to hide the real extension of executable files, which could help bypass anti-virus systems or fool users into believing it is legitimate.
RLO is a character within unicode designed to support languages that are read right to left, but can be used to alter the extension of a file. It is a common trick used by Windows malware like Bredolab and Mehdi, but has never been seen before affecting Macs.
With the Mac malware, the RLO character changes the malware file name from RecentNews.fdp.app to the more innocent looking RecentNews.ppa.pdf. But the OS X system picks up on this and still displays the correct extension, partly helping the user avoid infection:
Yet the quarantine notification from OS X is also turned on its head by the RLO, which could certainly bamboozle users:
The malware itself, written in Python, appears to be used for surveillance on activists either in Kazakhstan or Russia. It takes screenshots and records audio, sending the data to a command and control server.
As the malware executes, a decoy file appears, containing what appears to be the V for Vendetta mask used by the hacktivist collective Anonymous and a polemic condemning the regime in Kazakhstan, labelling it a dictatorship. The decoy file also seems to be related to a Kazakh businessman and a Russian opposition party.
“Some Russian dissidents [are the target] would be my guess,” Sullivan added. “A category I haven’t really seen before, using Mac.”
Late last year, Mac malware was seen targeting supporters of the Dalai Lama, a significant figure in Tibetan Buddhism.
As an extra worry for Mac users, traditional Windows threats are increasingly appearing on Apple machines. Malwarebytes yesterday confirmed the discovery of FBI ransomware for Mac, which demanded victims pay $300 to unlock their computer.
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…