September 21, 2014

New malware spies on Mac users via Firefox, Safari and Skype

(LiveHacking.Com) – A new piece of Mac malware has been discovered which has been designed to spy on users. Known as either Crisis or Morcut, the malware is passed around as a Java program pretending to be AdobeFlash. The filename is called something like AdobeFlashPlayer.jar or adobe.jar. JAR files are archives used to package up Java programs and normally contain a .class file which is the executable run inside the Java Virtual Machine (JVM). In this case the .class file is called WebEnhancer.class but it is anything but a web enhancer.

When the WebEnhancer applet is run it will cause a digital signature alert warning the user that the software is from an untrusted publisher. However if users believe that this is a genuine file they will probably just ignore this warning.

Once installed Morcut/Crisis adds a backdoor which opens up the Mac to others on your network and adds a command-and-control module so it can accept remote instructions.

Analysis of the malware shows that it was designed with spying in mind, as it has functions to monitor the webcam, the microphone and intercept instant messages on Skype, Adium and MSN Messenger. Other spying function include the monitoring of:

  • mouse coordinates
  • location
  • clipboard contents
  • key presses
  • running applications
  • web URLs
  • screenshots
  • calendar data & alerts
  • device information
  • address book contents

With such spying capabilities the malware could be used to capture passwords and banking details. It is able to give hackers enough information about its victims for them to perform sophisticated identity theft.

“In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts,” a Sophos spokesperson said in a statement. “By the way, if you’re curious about where the name ‘Crisis’ came from, it’s a name which appears inside the malware’s code. As far as we can tell, the author appears to have wanted his malware to be called ‘Crisis’.”

The good new is that this malware hasn’t been spotted in the wild yet so the threat remains low. Every Mac user should install anti-virus software and if you don’t need Java, uninstall it.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks