APT ported XSLCmd Backdoor on OS X according to FireEye

Security Experts at FireEye Lab discovered a new variant of the XSLCmd backdoor that has been used in targeted attacks infecting Mac OX based systems.

Experts at FireEye Labs have discovered a previously unknown variant of the APT backdoor XSLCmd, OSX.XSLCmd, which is used by a group of hackers known for past cyber espionage activities against the U.S. Defense Industrial Base.

The malware was designed to compromise Apple OS X systems starting from the Windows version of the XSLCmd backdoor, which it shares a significant portion of its code.

When dropped on a Mac the malicious code copies itself to /Library/Logs/clipboardd and $HOME/Library/LaunchAgents/clipboardd and to gain persistence it also creates a plist file in the same directory with the name com.apple.service.clipboardd.plist.

The  XSLCmd backdoor has been around since at least 2009 and has been used in different targeted attacks over the past several years as explained by the researchers at FireEye Lab in a  blog post.

“Based on our historical intelligence, we believe that the XSLCmd backdoor has been solely used by the threat group we call “GREF.” We track this threat group as “GREF” due to their propensity to use a variety of Google references in their activities – some of which will be outlined later in this report. Our tracking of GREF dates back to at least the 2009 timeframe, but we believe they were active prior to this time as well. ” states the post.

The XSLCmd backdoor and is capable of opening a reverse shell, accessing victims file system, transferring files and installing additional malware on the infected PC, logging keystrokes and capturing screen shots.

The backdoor checks the OS X version and not considers versions above 10.8, aka Mountain Lion, it’s likely that version 10.8 was either the latest OS X version when the authors of the malware designed it.

As anticipated the GREF APT hit wide range of organizations, including the US Defense Industrial Base (DIB):

“Historically, GREF has targeted a wide range of organizations including the US Defense Industrial Base (DIB), electronics and engineering companies worldwide, as well as foundations and other NGOs, especially those with interests in Asia,” states FireEyesaid,

The GREF used mainly watering hole attacks to serve the backdoor, but it has occasionally used also phishing emails to distribute the malicious code.

FireEye confirmed that GREF APT has used zero-day exploit in the past to infect victims through the exploitation of vulnerabilities in browsers or browser plug-ins like Flash Player, Adobe Reader and Java.

GREF was particularly active in the 2010 then it used different 0-day exploits, including CVE-2010-0806, CVE-2010-1297 and CVE-2010-2884 in its attacks.  The hackers compromised many website for its watering hole attacks, including Center for Defense Information (cdi.org), National Defense Industrial Association (ndia.org), Interservice/Industry Training, Simulation and Education Conference (iitsec.org), and satellite company Millennium Space Systems (millennium-space.com).

The discovery confirms the increasing interest of APT in the exploitation of OS X based systems, the new XSLCmd variant is the latest of several backdoor programs for Mac OS X that were detected by security firms and that have been used in cyber espionage attacks.

The wrong conviction that Mac OS X systems are more secure of Windows platforms has advantaged the attackers in the past years.

“OS X has gained popularity across enterprises, from less savvy users who find it easy to operate, to highly technical users that utilize its more powerful features, as well as with executives,” the FireEye researchers said.

APT are able to conduct insidious campaigns for years adapting their tactics and exploring technology

Pierluigi Paganini

(Security Affairs – Mac OS X, backdoor)