Mac Trojan Is Cyber Spying Tool, Say Experts

A Mac Trojan aimed at Apple systems is actually a cyber espionage tool that can be bought online from an Italian hacking group, security researchers have claimed.

The malware, which is being sold in competition to tools such as FinSpy, which British firm Gamma International has been accused of selling to repressive regimes in Egypt and Bahrain, has various names – Crisis, Morcut and DaVinci – and operates as a backdoor, providing attackers remote acess to infected systems.

Research from Russian firm Dr. Web noted the Mac Trojan was developed by an Italian organisation called HackingTeam – a claim backed up by F-Secure’s chief research officer Mikko Hypponen – and it comes with rootkit technologies to hide itself.

This is the first time a piece of Mac malware has been seen with rootkit capabilities, Dr. Web said. It can also infect Windows machines and the security firm said a mobile version was known to exist.

For criminals or governments?

“The Trojan saves and transmits information about the infected machine to criminals, acts as a key logger, can take screenshots, and intercept e-mail, ICQ [an instant messaging computer program], Skype messages and data captured by a microphone or video camera connected to a computer,” Dr Web blogged.

“In addition, the backdoor has a large set of tools to bypass anti-virus software and firewalls, so it may run unnoticed in a system for a long time.

“HackingTeam criminals call their brainchild a 21st-century weapon and sell BackDoor.DaVinci.1 as a remote control and espionage solution.”

The HackingTeam claims to work for law enforcement and intelligence communities, not for criminals. It openly advertises its Da Vinci “hacking suite for governmental interception” on its website.

Hypponen said on Twitter that what the HackingTeam were offering was a competitor to the FinSpy software offered by British firm Gamma International, which has been implicated in selling surveillance gear to repressive regimes in Egypt and Bahrain. The UK government is currently being threatened with legal action unless it places tighter controls on the export of technology such as FinSpy.

Trend Micro issued its own post on the malware today, saying it would not run on the latest Mac OS, Mountain Lion, which was released earlier this week. However, its “apparent inability to run on Mountain Lion may be premature, as we know malware creators are capable of ‘updating’ and spawning variants within hours,” Trend said.

“With Mountain Lion’s release, it is likely that we will soon see newer samples, or even a new threat, that will attempt to target Mountain Lion.”

No attacks using the Trojan, which can infect older Mac systems than Mountain Lion, have been seen in the wild.

Many have warned cyber criminals will increasingly target Apple Macs as they grow in popularity. The Flashback Trojan that infected over 600,000 Macs was viewed as a sign of things to come.

Like Internet anonymity? Try our Anonymous quiz!