Mac Malware With Apple Developer ID ‘Likely Government Sponsored’

Malware targeting Apple Mac systems signed with an official developer ID has emerged, and is thought to have been sponsored by a nation state.

The content of emails delivering the Janicab malware point to PDFs offering “recent news”, and the decoy files actually seen by targets contain rhetoric against Kazakhstan president Nursultan Nazarbayev. It therefore appears a government is backing the attacks, according to security experts.

This is only the second known case of Mac malware signed with an Apple Developer ID, Sean Sullivan, F-Secure security advisor, told TechWeekEurope. In May, a backdoor was discovered on a Mac belonging to an activist from Angola, which was also signed with an Apple Developer ID.

“As both of these cases appear to be targeted attacks against activists, it is also likely that they’re government sponsored – and so faking the needed identity info may not be such a difficult task,” Sullivan added.

Mac malware avoiding detection

The Mac malware is doing some smart things to avoid detection too, outside of using the Apple developer ID that makes it look like a sanctioned application, F-Secure found.

The Janicab backdoor uses something called right-to-left override (RLO), an encoding method that can be used to hide the real extension of executable files, which could help bypass anti-virus systems or fool users into believing it is legitimate.

RLO is a character within unicode designed to support languages that are read right to left, but can be used to alter the extension of a file. It is a common trick used by Windows malware like Bredolab and Mehdi, but has never been seen before affecting Macs.

With the Mac malware, the RLO character changes the malware file name from  RecentNews.fdp.app to the more innocent looking RecentNews.ppa.pdf. But the OS X system picks up on this and still displays the correct extension, partly helping the user avoid infection:

Yet the quarantine notification from OS X is also turned on its head by the RLO, which could certainly bamboozle users:

The malware itself, written in Python, appears to be used for surveillance on activists either in Kazakhstan or Russia. It takes screenshots and records audio, sending the data to a command and control server.

As the malware executes, a decoy file appears, containing what appears to be the V for Vendetta mask used by the hacktivist collective Anonymous and a polemic condemning the regime in Kazakhstan, labelling it a dictatorship. The decoy file also seems to be related to a Kazakh businessman and a Russian opposition party.

“Some Russian dissidents [are the target] would be my guess,” Sullivan added. “A category I haven’t really seen before, using Mac.”

Late last year, Mac malware was seen targeting supporters of the Dalai Lama, a significant figure in Tibetan Buddhism.

As an extra worry for Mac users, traditional Windows threats are increasingly appearing on Apple machines. Malwarebytes yesterday confirmed the discovery of FBI ransomware for Mac, which demanded victims pay $300 to unlock their computer.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago