Incident Response, Malware, TDR

APT group adapts Windows backdoor to target Mac computers

Researchers discovered that a variant of an APT Windows backdoor exists – and that it was crafted to specifically target Mac computers.

The backdoor, dubbed “XSLCmd,” was used in targeted attacks against Windows users for several years, including by an APT group called GREF, FireEye revealed Thursday. But analysts are still unclear as to how long the iteration for Apple OS X systems has been around.

Since Mach-O binaries lack a compile timestamp (present in Windows executables), the firm said it could “only infer from other data when the OS X variant was developed.” Researchers do believe that the OS X port of XSLCmd could have been recently created and deployed, however.

The OS X variant was submitted to VirusTotal on August 10, and had zero detections at that point, FireEye noted.

The APT group GREF has, in the past, opted for watering hole attacks – strategically compromising websites often visited by targets – to spread malware. GREF also stood out for its “unrelenting targeting of web server vulnerabilities to both gain entry to targeted organizations, as well as to get new platforms for SWC [strategic web compromise] attacks,” the blog post said.

Historically, GREF's watering hole attacks targeted victims in the defense industry.

In a Friday interview with SCMagazine.com, James Bennett, senior malware research engineer at FireEye, who also co-authored the blog post, said that researchers “have no evidence of how [the OS X backdoor] was delivered to victims.”

He noted, however, that the OS X variant had keylogging and screencapturing features, malicious feats not present in the Windows version of XSLCmd. Furthermore, attackers “purposefully put forth effort in supporting PowerPC architectures,” Bennett said.

In the blog post, Bennett and co-author Mike Scott, a senior threat intelligence analyst at FireEye, explained that the malware supports PowerPC, as well as x86 and x86-64 CPU architectures. OS X 10.6 (or Snow Leopard) which was released in 2009, was the first Apple OS to drop PowerPC support, they noted.

Bennett and Scott added that the widespread notion that Macs offer users better security, “may lead to a dangerous sense of complacency in both IT departments and with users."  They contended that "in fact, while the security industry has started offering more products for OS X systems, these systems are sometimes less regulated and monitored in corporate environments than their Windows peers.”

Users can therefore expect APT groups, like GREF, to continue to adapt accordingly, they said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.