In recent days they have been identified three different malware affecting the operating system of Apple. The Gatekeeper functionality, enabled by default provides a first level of protection sufficient to drastically reduce the chances of being infected.
It raises the alert level for the security of Mac systems. In recent days have been identified three different malware for the operating system of Apple, following the earlier case of KeRanger observed during the month of March.
The first malware, known by the nickname of Eleanor, was discovered by researchers from Bitdefender and is hidden inside EasyDoc Converter, an app that has been available on the owl macupdate site. When EasyDoc starts, it installs in a totally unnoticed a backdoor that provides remote access to the file system of the system and webcams, making it possible enabling the attacker that operates the remote control to download files, install new apps and watch the user before the infected machine. Eleanor communicates with the command and control server using Tor to avoid the detection or neutralization of the server itself.
Tiberius Axinte, technical manager of BitDefender Antimalware Lab, explains: This type of malware is particularly dangerous because it is difficult to spot and provides the attacker full control of the compromised system. For example, an attacker can prevent a user of the system, ask for a ransom to restore the use or transform the system into a botnet to attack other devices. ”
Researchers at security firm Malwarebytes have observed that Eleanor will not install if it detects the presence of Little Snitch on the system, a firewall that monitors and controls the Internet access of various applications.
The second threat is called Keydnap, and its function is to collect passwords and encryption keys stored in the Mac OS X keychain The developer has clearly recovered from the code Keychaindump, a proof-of-concept app that can steal your keychain content when an attacker knows the system password. The malware has been identified by Eset, looking as it makes use of an interesting mechanism to increase the chances of being installed.
The malware placing it inside a compressed archive: When the archive is unpacked in the form of a Mach-O executable (executable that cannot have an extension), which is appropriately decked out to look like a text document or picture. A double-click on the file allows its execution within a terminal window.
Currently, it is not yet clear how Keydnap paid out, probably within spam emails or as downloads from unsafe sources. Like Eleanor, Keydnap makes use Tor to hide their communications with the command and control server.
The third threat is rather technically be classified as adware because it currently performs nothing more than open a flood of pop-up advertisements on the infected machine. The name of adware is Pirrit, discovered by Cybereason, and it seems to be a variant of a malicious app already discovered previously. Actually, Pirrit also installs a backdoor that allows, at least potentially, to its developer to take control of the car and steal information or perform other malicious actions.
What is interesting to note is that none of the new threats is signed by Apple-trusted certificates. This means that users who make use of the OS X default settings are automatically protected thanks to the feature called Gatekeeper.
Although there are relatively simple ways by which attackers can neutralize the protections offered by the Gatekeeper, this feature provides a first level of security that can significantly lower the chances of compromising a Mac system.