Mac malware detected by Appelbaum at Oslo Freedom Forum

Pierluigi Paganini May 20, 2013


A new Mac Malware has been detected at recent Oslo Freedom Forum workshop, the concerning discovery has been made by the popular security expert Jacob Appelbaum.

“Hundreds of the world’s most influential dissidents, innovators, journalists, philanthropists, and policymakers will unite in the Norwegian capital for a three-day summit exploring how best to challenge authoritarianism and promote free and open societies.”

Appelbaum is best known for his work in the fight of online anonymity (e.g. Tor Project) and for his participation in numerous activities in the defense of human rights and free access to the Internet.

During  workshop is debated the topic of government surveillance, the experts who participated to the event discussed the uncomfortable subject and many other topics such as dictatorship, censorship and activism.

During the recent months many cyber espionage campaigns have been uncovered, in majority of the cases governments used malicious codes to track dissident and political opponents, the phenomena have global diffusion and are of great concern to those who are fighting for humanitarian rights and freedom of expression.

This edition of the forum,  The fifth, will be reminded also for the discovery of  Appelbaum, a new strain of malware with backdoor capabilities on Mac OS has been detected on an Angolan activist’s machine.

Appelbaum sustained that the Angolan activist’s PC was compromised in a spear-phishing attack used to spread the Mac Malware.

F-Secure security firm was one of the first firm that investigated on the Mac Malware, the researcher known as “Brod,” is investigating on the malicious agent. F-Secure security advisor Sean Sullivan published an interesting post on the case, the Mac Malware code is signed with a legitimate Apple Developer ID and it is able to take screenshots storing them image files in a folder called “MacApp.”.

Mac Malware Storage

Appelbaum confirmed via Twitter that Apple has revoked the Developer ID with which the malware is signed

Mac Malware Tweet2

The spyware implements simple spying functions, it is able to capture images of the victim’s screen and transfer the data to a Command & Control server, the security researchers found two C&C server located in France and in the Netherlands.

Mac Malware CeC 1

Mac Malware CeC 2


Sullivan wrote that the French C&C server would not resolve and the Dutch displayed a “Forbidden” access message.

Sullivan and Appelbaum revealed on Twitter that Mac malware detected appeared to be linked to an older Mac malicious code called HackBack.

Mac Malware Tweet

VirusTotal assigned to the Mac Malware a Detection ratio of 1/46 that means that  only F-Secure antivirus vendors is currently detecting the threat identifying it as as Backdoor: OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e).

Pierluigi Paganini

(Security Affairs – Cyber espionage)

you might also like

leave a comment