June 14, 2021

New malware spies on Mac users via Firefox, Safari and Skype

(LiveHacking.Com) – A new piece of Mac malware has been discovered which has been designed to spy on users. Known as either Crisis or Morcut, the malware is passed around as a Java program pretending to be AdobeFlash. The filename is called something like AdobeFlashPlayer.jar or adobe.jar. JAR files are archives used to package up Java programs and normally contain a .class file which is the executable run inside the Java Virtual Machine (JVM). In this case the .class file is called WebEnhancer.class but it is anything but a web enhancer.

When the WebEnhancer applet is run it will cause a digital signature alert warning the user that the software is from an untrusted publisher. However if users believe that this is a genuine file they will probably just ignore this warning.

Once installed Morcut/Crisis adds a backdoor which opens up the Mac to others on your network and adds a command-and-control module so it can accept remote instructions.

Analysis of the malware shows that it was designed with spying in mind, as it has functions to monitor the webcam, the microphone and intercept instant messages on Skype, Adium and MSN Messenger. Other spying function include the monitoring of:

  • mouse coordinates
  • location
  • clipboard contents
  • key presses
  • running applications
  • web URLs
  • screenshots
  • calendar data & alerts
  • device information
  • address book contents

With such spying capabilities the malware could be used to capture passwords and banking details. It is able to give hackers enough information about its victims for them to perform sophisticated identity theft.

“In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts,” a Sophos spokesperson said in a statement. “By the way, if you’re curious about where the name ‘Crisis’ came from, it’s a name which appears inside the malware’s code. As far as we can tell, the author appears to have wanted his malware to be called ‘Crisis’.”

The good new is that this malware hasn’t been spotted in the wild yet so the threat remains low. Every Mac user should install anti-virus software and if you don’t need Java, uninstall it.

Apple to includes Windows style auto update feature in OS X Mountain Lion

(LiveHacking.Com) – Apple is to add a Windows style update service to OS X Mountain Lion that will automatically install required patches for users. In a recent update to the developer preview of Apple’s newest operating system for its line of Mac computers, Apple included what it called “Security Test Update Test 1.0.”

According to MacRumors, the “Security Test Update Test 1.0.” tests the new Mountain Lion Security Updates system. The new system includes:

  • Daily Checks for required security updates
  • The ability to install required security updates automatically or after restarting your Mac
  • A more secure connection to Apple’s update servers.

Previous versions of OS X including Leopard, Snow Leopard and Lion only downloaded updates after notifying the user and waiting for the user to accept and start the downloads. Apple also mentioned that it has increased the security used in the connections between an individual Mac and Apple’s update servers. This is probably in response to the additional hardening measures Microsoft recently rolled out for its Windows Update service due to the discovery that the Flame malware was using Windows Update to propagate itself.

OS X 10.8. also includes other security features like Gatekeeper which will restrict the installation of downloaded applications based on their source. It has three modes: users can allow applications to be installed only if they are downloaded from the Mac App Store, or if they are downloaded from the the Mac App Store and trusted developers; or from anywhere.

Apple has not revelaed the release date for Mountain Lion, but if it follows the same pattern it did with the release of Lion then Moutain Lion will come out on July 25. Apple has however announced that the upgrade will cost just $19.99 and be available in the Mac App Store.

New Mac Malware uses Office Documents to Exploit OS X

(LiveHacking.Com) – Alien Vault Labs have recently found some OS X malware which uses an already fixed vulnerability in Microsoft Office for Mac to infect Apple PCs with command-and-control malware. The vulnerability exploited by the malware was patched in June 2009 and affected all versions of Mac Office 2004 version 11.5.4 or earlier, Mac Office 2008 version 12.1.8 or earlier, and OpenXML Converter 1.0.2 or earlier. The malware, which will only infect unpatched systems, is the first recorded malware for OS X that attempts to use Office documents as a means of infection.

For a system to be infected a user needs to open a specially crafted Word document in an unpatched version of Word for Mac. The document then causes a script to save the malware to the hard disk. The malware is then run to complete the infection. Once installed the malware tries to make contact with a command-and-control server in China. The server sends instructions to the Mac giving the attacker remote control and allow them to install programs; view, change, or delete data; or create new accounts. By running Word from standard account (which the majority of Mac user do), the control that the remote attackers have over the system is limited.


The good news is that the malware is easy enough to remove by running the following commands in the OS X Terminal:

sudo rm /Applications/Automator.app/Contents/MacOS/DockLight
sudo rm /Library/launchd

As always, it is best to keep your Mac up to date via the automatic software updates supplied by Apple and by any third parties like Microsoft.

Is There an Unpatched Vulnerability in Skype for Mac? Yes and No.

Gordon Maddern caused quite a stir over the weekend when he blogged about a zero day vulnerability in the Mac OS X client of Skype. According to Gordon, who is part of Pure Hacking a security consultancy company, he discovered the vulnerability over a month ago and notified Skype. They responded with “Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix.” However after a month of silence Gordon decided to go public.

Skype responded quickly saying that the vulnerability has been fixed. “At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability… We subsequently released a hotfix for this problem in a minor update (Skype for Mac version on April 14th.”

However the problem was that since there were no reports of this vulnerability being exploited in the wild, Skype did not prompt its users to install this update, as, according to Skype, “there is another update in the pipeline that will be sent out early next week.”

Gorden has subsequently updated his blog: “We can confirm that skype has fixed this issue in It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.”

To update your Skype for Mac client just click on Skype -> Check for Updates or you can download the software here.

Analysis: Skype got this wrong by not notifying its users of the upgrade. A month is a long time in information security. If another hacker discovered the same flaw and launched an attack it could have harmed Skype’s reputation enormously.

BlackHole RAT – New Mac Trojan

Security researchers from Sophos have spotted a new piece of malware. Which in itself isn’t unusual, but this one is as it targets Mac OS X and not Windows.

According to the client end of the malware, used by the attacker to send commands to the remote machine, the software is still beta quality and not yet finished. The implication is that development is on-going and a more sophisticated version of the software is planned.

Known as BlackHole RAT the software seems to be a port of the well-known Remote Access Tool/Trojan (RAT) for Windows known as darkComet. SophosLabs have dubbed the trojan as OSX/MusMinim-A.

At the moment there are no reports of this tool spreading in the wild and the doesn’t come with a deliverly mechanism meaning that attackers wishing to use it need to find a way to infect the remote Mac with the server component via a vulnerability in a browser or plugins etc.

The functionality of the so-called beta is fairly limited and current only allows the attacker to:

  • Placing text files on the desktop
  • Sending restart, shutdown or sleep commands
  • Running arbitrary shell commands
  • Placing a full screen window with a message that only allows you to click reboot
  • Sending URLs to the client to open a website
  • Popping up a fake “Administrator Password” window to try and solicit the administration credentials from the victim

However this is enough to cause damage to the remote machine and has the potential for online fraud.

http://ithreats.net have posted a YouTube video of BlackHole RAT in action.