Friday, May 17, 2013
New Mac Malware Breezes Past Gatekeeper Because It’s Signed By An Apple Developer ID
A new Mac malware has been found in the wild that allowed attackers to steal data and install unauthorized apps on a compromised machine. What makes this malware different than other recent Mac malware, though, is that it breezes right past Gatekeeper… and the people behind it might have been gunning for the life of their malware victim.
Known security researcher and privacy activist Jacob Applebaum discovered the malware — which is being called OSX/KitM.A by Finnish antivirus firm F-Secure — on the laptop of a human rights activist at the Oslo Freedom Forum earlier this week.
KitM.A got on the machine as a result of a spear phishing attack, which is a phishing attack in which specific individuals (instead of a wider range of victims) are targeted. The malware takes screenshots of what is happening on the Mac amd sends them to servers in the Netherlands. It can also download and install other malware, executing commands on behalf of attackers and manipulating the network activity monitor so that its presence remains undetected.
What’s so interesting about this specific malware is that it was signed by a valid Apple Developer ID. This means that it just blew past Gatekeeper, OS X Mountain Lion’s anti-malware firewall that is supposed to keep out just this sort of program. But it also means that Apple can just revoke the app’s certificate, killing it instantly on all computers with Gatekeeper turned on. And hopefully, it means that the attackers behind this particularly insidious form of malware can be tracked down and prosecuted, because they’ve left a signature: their own Apple Developer ID.
Applebaum said that he may publish more details on the attack once he ascertains the threat to the victim’s life. Someone was gunning for him, after all, and given what’s going on in Angola these days, that’s a sensible precaution.