Does my mac need protection?

The truth is that no operating system is 100 % secure. Even if it was, vulnerabilities in applications, such as Java/ Java Virtual Machine, can be exploited by malware. A high-performing antivirus adds layers of security, decreasing the exposure to potential threats.

Try it for free Free 30-day trial

Mac Threats in time

  • 2004

    • Opener (Renepo)

    • Amphimix (MP3Concept)

  • 2005

  • 2006

    • Leap

    • Inqtana

  • 2007

    • Jahlav (RSPlug)

  • 2008

    • MacSweep

    • iMunizator

  • 2009

    • Tored

  • 2010

    • Hovdy

    • HellRTS (HellRaiser)

    • OpinionSpy

    • Boonana

  • 2011

    • BlackHole (darkComet, MusMinim)

    • MacDefender

    • Olyx

    • Flashback

    • Revir and Imuler

    • Devilrobber (Miner)

    • Tsunami (Kaiten)

  • 2012

    • Sabpab

    • Morcut (Crisis)

    • Lamadai

  • 2013

    • Kitm and Hackback

    • Yontoo

    • Minesteal a.k.a. Minesweep

    • Fucobha (Icefog)

    • Pintsized

  • 2014

    • LaoShu

    • Appetite (Mask, Careto)

    • CoinThief

  • 2015

    • Agent.AE

    • OceanLotus

  • 2016

    • KeRanger

    • Keydnap

    • Eleanor

    • Komplex

  • 2017

    • Filecoder.E

Opener (Renepo)

Shell script with backdoor and spyware functionality

This was a (bash) shell script. The installation required either admin access or physical access to the target machine and write access to system areas and utilities. Once installed as a Startup Item it was intended to run as root, without any need to invoke sudo (a utility mostly found in Unix-like or Unix-derived operating systems that allows a user account to run system programs at a higher privilege level)

By version 2.3.8, the version usually reported it was installing a variety of backdoor and spyware functionality, stealing a range of configuration/application information and including password cracking and other decryption functionality.

Author DimBulb is credited “for inspiration” by the author of the osxrk rootkit, from September 2004.

Amphimix (MP3Concept)

The first acknowledged OS X malware (not seen in the wild)

This is a Proof of Concept (PoC) Mac Trojan seen early in 2004 that masqueraded as an MP3, using an .MP3 icon. Its main importance is in the timing – it is generally regarded as the first acknowledged OS X malware – rather than its impact: it wasn’t seen “in the wild” and subsequent changes to the Finder effectively countered the vulnerability it exploited.

Its only payload was to display a dialogue box saying “Yep this is an application. (So what is your iTunes playing right now?)”At the same time it launched iTunes and tried to play a 4-second MP3 audio clip of “wild laughter” (apparently a man laughing).



The first true OS X worm

It appeared at the beginning of 2006 and attracted a great deal of media attention. It used a graphic icon to pass off a Unix executable as a JPG image, claimed to be the latest Leopard Mac OS X 10.5 screenshots, and was spread through the iChat messenger client, using a file called latestpics.tgz.

The malware required user interaction in order to spread, and used Spotlight to infect all the files it found on disk.


Proof-of-Concept worm exploiting a Bluetooth vulnerability

This was a Proof-of-Concept worm targeting OS X systems. It was written in Java and spreads through a directory traversal vulnerability in Apple’s Bluetooth system which was subsequently fixed by the vendor (2005-2006).

It modified the setting of launchd to make sure its code was executed at boot time, thus ensuring persistence (that is, it continued to load at every system reboot).

It attempted to spread by sending OBEX Push requests to other Bluetooth devices, though its spread was limited by the use of a time-limited library version, meaning that it couldn’t spread after 24th February 2006. Inqtana.D significantly developed the attack in that it didn’t require any user interaction in order to install, and once installed the backdoor access was available through Ethernet or Airport, not just Bluetooth.

Jahlav (RSPlug)

DNS Changer

The family of DNS changing malware includes binaries identified as OSX/Jahlav, OSX/DNSchanger, OSX/Puper, OSX/RSPlug (and sundry variations according to individual vendor naming conventions). Some vendors regard it as consisting of more than one family originating with the same author, but such distinctions are not maintained consistently across the vendor community.

This group is also closely related to the Zlob family, associated with similar malicious functionality on Windows platforms. This type of malware was found in great numbers in the wild. It is predominantly found as a DMG file containing an installation package named install.pkg.

It has been distributed using various schemes such as fake codecs, an approach commonly used by malware on other platforms. The ultimate purpose of this malware is to change DNS settings of an infected host, potentially enabling the attacker to alter Internet content accessed from an infected system. A script named preinstall, executed at the beginning of the installer process, performs these malicious actions. A set of shell commands is launched to write the script to disk and execute it. An interesting point relating to OSX/Jahlav is that this threat uses server side polymorphism to generate new copies of its binaries, probably in an effort to evade detection by intrusion detection systems and antivirus software. Script files are also obfuscated using various shell tools such as uuencode, sed, and tail to conceal, vary or reverse the order of the commands and hamper analysis.

ESET threat descriptions:

Related blogs:


First OSX scareware

Also known as Troj/MacSwp-A, OSX_MACSWEEP, MacSweeper, this threat was first reported in January 2008 and is sometimes described as the first OSX scareware (or fake security application).

Most of the descriptive material applying to OSX/MacSweep also applies to iMunizator: in fact, some vendors flag iMunizator as OSX/MacSweep.B, and some sources reported an almost identical screen for both “products” saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC” The program flags a number of perfectly legitimate applications as privacy violations, malware, bad cookies, “compromising files” and so on , and anyone trying to remove them is told they need to buy the MacSweep software.


Rogue AV application

Also known as OSX/Imunisator, Troj/MacSwp-B, OSX_MACSWEEP.B, OSX/AngeloScan, this was first reported in late March, 2008. iMunizator was essentially a retread of OSX/MacSweep (MacSweeper), or “another Rogue AV.”

The “call to action” in this case was again a screen saying “Get rid of compromising files now”, and claiming that the product was “3-in-1 Internet cleaner, System cleaner, and Performance optimizer for your MAC”. Wouldn’t it be nice if you could get an application to clean the Internet?

The program flags a number of perfectly legitimate applications as “trash”, and any victim naive enough to try to remove them is told they need to buy the iMunizator software. Amusingly (in a black sort of way), iMunizator tries to tell you that the apps it flags may compromise the victim’s credit card.



Proof of Concept worm spreading via email

This Proof of Concept malware was discovered in 2009 and called Mac/Tored.AA. The name is a modification of the original name found in the binary file, which was OSX.Raedbot. This worm was able to spread through email using its own SMTP engine.

It could also contact a command and control server on the Internet to receive additional commands. Functionally, it therefore closely resembles certain classic Windows massmailers as well as many bots. However, we have not seen any instance of Mac/Tored.AA in the wild.


Information-gathering spyware

The OSX/Hovdy malware family is a set of scripts designed to gather as much information as possible from a host and send it back to a potential attacker.

In some variants, the information is sent back in an email with the subject Howdy, hence the name. Some variants were programmed as a bash script while other variants are programmed using AppleScript. We saw around a dozen different variants of the OSX/Hovdy script malware.

HellRTS (HellRaiser)

Information-stealing backdoor trojan with remote control capability

This is a backdoor trojan that can be controlled remotely. It attempts to send captured information (including files and screenshots) to a remote machine, using HTTP, FTP, and SMTP.

In order to get sensitive information it displays the following dialog box:


The trojan acquires data and commands from a remote computer or the Internet. It may also:

  • run executable files
  • execute shell commands
  • shut down/restart the computer
  • log off the current user
  • send data to the printer
  • open a specific URL address
  • change the sound volume
  • open the CD/DVD drive
  • play sound/video
  • open web page using user’s default browser
  • watch the user’s screen content

ESET threat descriptions:


Spyware with backdoor and remote control capability

This program was first reported around the beginning of June 2010 and was associated with software calling itself PermissionResearch or PremierOpinion.

This spyware masking itself as a market research utility was offered as part of the installation process for a number of screensavers. It also acted as a backdoor and could be controlled remotely.


ESET threat descriptions:

Related blogs:


Multi-platform social engineering trojan

This Java-based Trojan that attacks Macs, Linux and Windows systems that became notorious in October 2010 spread through social networking sites, passing itself off as a video and using the well-worn “Is this you in this video?” trick reminiscent of Windows malware.

The description suggests a trojan downloader (a Java applet) that executes an installer that in turn modifies system files so that an outside attacker doesn’t need passwords to access the system. Moreover, the trojan checks a C&C server (standard botnet stuff) periodically. There were also reports of the malware being spammed out through email.

When the potential victim runs the "video", a message is generated suggesting that the video can’t be watched without installing special software.


If the trick works, the Java applet runs happily on Windows, OS X and Linux. For Windows systems, however, a registry entry is added, while for OS X, files are copied to /Library/StartupItems and a script called OSX updates is created.

This is very much social engineering-focused malware: its initial attack is on the user, not on the platform, and it isn’t self-launching in the first instance. In other words, the malware requires user consent to be installed. While the (intended) functionality is not dissimilar, the code doesn’t resemble Koobface particularly, which is why ESET hasn’t used that name as an identifier, though some vendors have done so.


Related blogs:

BlackHole (darkComet, MusMinim)

Multi-function backdoor trojan

This RAT (Remote Access Tool) came to light early in 2011. It was described as a beta version by its author:

“Welcome to BlackHole RAT. Now this is the Beta Version, and there are funktions. Have Fun;)“


The user interface also includes some German words such as Ablage and Bearbeiten, though the messages are in (more or less) English.

“…I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can’t be infected, but look, you ARE Infected!”


According to comments in the code, there was intended to be a more stable version in due course.

So, Im a very new Virus, under Development, so there will be much more functions when im finished.

However, the darkComet RAT project was declared terminated in June 2012.

BlackHole’s abilities included the following:

  • Execute shell commands remotely.
  • Direct the user’s browser to its own choice of web page.
  • Create a text file on the desktop.
  • Perform shutdown, restart and sleep operations: in fact, it may put up a window from which the user can only escape by letting it reboot the machine as a demonstration of its capabilities.
  • Pop up a fake Finder message asking the victim to enter the administrator password.

The name notwithstanding, there is no obvious connection between this Blackhole and the Black Hole exploit kit.

ESET threat descriptions:


The first major Mac malware

This fake AV has also been reported as calling itself MacProtector, MacDetector, MacSecurity, Apple Security Center, MacGuard, and MacShield. Appearing in May 2011, it is probably the most widespread rogue anti-virus on the Mac to date.

The infection was spread via poisoned search engine results on image searches. When a bad link was followed in a search, the user was presented with an alert that trojans or other threats have been detected on the system.


At the start of the attack, either a simple dialog box over the browser window or a fake Finder window is displayed. The malware was updated over time to present a user interface more like a native OS X application and less like a Windows application. Subsequent variants were also deployed that were capable of installing through a fake Finder window requiring the user to enter administrator credentials. If the victim clicked on the "Cancel" or "Remove All" buttons instead of closing the browser normally (or if necessary, with Force Quit), it was able to install the software anyway. It also took advantage of Safari’s default setting ‘Open “safe” files after downloading’ to download and open the malware automatically.


Once the malware was installed and launched, the victim was told that the software was an Unregistered Copy, and given the option of registering and paying for it.


Related blogs:


A malware-downloading backdoor

A backdoor that allows the infected machine to be controlled remotely, receiving data and instructions for its operation from the Internet or via a remote Command & Control server in a botnet.

It may use known Java exploits to gain access to the victim’s system. The trojan contains an IP address to which it tries to connect over port 80 using TCP.


It may execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • various file system operations
  • execute shell commands
  • send the list of files on specific drive to a remote computer

ESET threat descriptions:


The largest Mac botnet to date

OSX/Flashback.A is a trojan that tries to download other malware from the Internet, and at the same time the Flashback botnet is the largest Mac botnet to date. The Flashback attack uses social engineering to entice the user to download and install the malware.

The malware presents a standard and professional looking installer screen to create a backdoor via a dynamic library called Preferences.dylib. Once installed, it uses RC4 encryption to communicate with a remote server, and transmit data such as the users MAC address, OS version, UUID, and more. The malware could also potentially be used to allow the malware author to inject code into the target Mac.

A later variant of OSX/Flashback included exploit code for CVE-2012-0507, a Java exploit also used by the Blackhole exploit kit. This meant that the trojan was able to infect computers without user interaction. Oracle and, later on, Apple released a Java update that addressed the problem.
The malware collects information about the infected computer, its operating system, and system settings, and tries to send the information on to a remote machine. It receives data and instruction from a Command & Control server via HTTP. It quits immediately if Little Snitch is detected on the system and removes itself from the computer.
ESET recommends disabling Java in Safari and OS X, if it is not needed most of the time.

The trojan displays the following picture:


In September 2012, ESET released a comprehensive technical analysisof the Flashback threat.

ESET threat descriptions:

Related blogs:

Revir and Imuler

Dropper/ downloader backdoor with spyware capability

These two examples of malware are usually referred to as distinct threats, even though Revir is the dropper and downloader and Imuler.A is the backdoor that carries the sting.

The malicious application poses as a PDF file, and in fact displays a PDF embedded in its own body. This payload displays some politically contentious Chinese text while the app extracts a downloader that fetches and installs a backdoor Trojan (Imuler). The backdoor is intended to communicate with a C&C (Command and Control) server.

The most striking similarity between this and the techniques used by Windows malware is in the use of a phased infection process using several components. The PDF is not booby-trapped with some kind of 0-day threat, as is so often the case with targeted malware, but is simply a component of the malware, which must be executed before the PDF can be displayed. The Imuler Trojan acquires data and commands from a remote computer whose URL is held within its own body, or from the Internet, using HTTP.

The malware can execute the following operations:

  • capture screenshots
  • send files to a remote computer
  • send various information about the infected computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • extract ZIP archive

ESET threat descriptions:

Related blogs:

Devilrobber (Miner)

Bitcoin-generating spyware using Torrents to spread

The program has been spread hidden inside copies of GraphicConverter, which is a legitimate image editor. However, the infected copies were distributed via Torrent sites such as PirateBay. Like a number of Mac trojans, the program will terminate on infection if it finds Little Snitch installed: otherwise, it will be launched at every reboot.

Devilrobber performs the following malicious activities:

  • Opens ports and listens for C&C servers
  • Steals GPU (Graphics Processing Unit) cycles to generate Bitcoins in order to defraud the Bitcoin service, and if it finds a Bitcoin wallet on the infected machine, steals that too
  • Acts as spyware, forwarding usernames and passwords to a remote server
  • Noses around looking for other stuff like the keychain file, bash history file, Safari history file, and takes and forwards screenshots
  • It may also be looking for files that contain child abuse material

ESET threat descriptions:

Tsunami (Kaiten)

IRC controlled backdoor

This is an IRC controlled backdoor that enables the infected machine to become a bot for Distributed Denial of Service attacks. It contains a hardcoded list of IRC servers and channels that it attempts to connect to.

The malware is a version of the elderly Linux/Tsunami malware (also known as Kaiten), recompiled as a Mach-O binary to run on OS X. Of low risk, but apparently a work in progress: a second version shows some “improvements.”

From 2002, the Linux backdoor Trojan once it managed to install itself was intended to listen for instructions transmitted over IRC. Its command set is focused on various DDoS (Distributed Denial of Service) attacks, but its capability to execute shell commands has the potential for many other types of attack. The list of accepted commands is taken from the comment block in the Linux C source code.


In addition to enabling DDoS attacks, the backdoor can also enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the capability to essentially take control of the affected machine.

ESET threat descriptions:

Related blogs:


Backdoor Trojan with remote control capability

The trojan serves as a backdoor. It can be controlled remotely and acquires data and commands from a remote computer or the Internet, using HTTP to contact an URL in its own body. This malware, like the highly prevalent Flashback variant, exploits the CVE-2012-0507 vulnerability.

It can execute the following operations:

  • send the list of files on specific drive to a remote computer
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • capture screenshots

It seems to have originated on 16th March 2012 or even a little earlier. Reports indicate a link between SabPab (or SabPub – vendor detection names vary) and APT attacks labelled Luckycat. There may even be a link with attacks on Tibetan activists. Later attacks have used Word documents exploiting the CVE-2009-0563 buffer overflow vulnerability in Microsoft Office. The malware’s later variant does not use the Java exploit CVE-2012-0507, so Apple’s updates don’t provide protection for this elderly Office vulnerability.

ESET threat descriptions:

Morcut (Crisis)

Multi-platform spyware trojan

Morcut is an OS X Trojan specific to Snow Leopard and Lion (some reports suggest that it can run on Leopard, but tends to crash): it can install without any action on the part of the user, is persistent (survives reboot), and has rootkit capabilities that are activated if the infected system is running under root.

However, it hasn’t been found in the wild to date: the initial samples were found on VirusTotal. The malicious JAR file includes a Java class file misleadingly called WebEnhancer that checks whether the Java Virtual Machine in which it finds itself is running under Windows or OS X. If the JVM is running under Windows, it installs a version of Swizzor; if it’s OS X, it installs OSX/Crisis.

Crisis isn’t actually the first or only attempt at hardware-independent malware, but the significance of the fact that the attempt is being made should not be underestimated, even though there are more technically interesting aspects to the whole malware package: in particular, the range of activity and data the malware is meant to monitor put it right in the spyware category. The sensitive data it can compromise includes IM transactions, location, keystrokes and mouse movement, contents of the clipboard, running processes, and an assortment of other device and environment information that is tracked.

Related blogs:


A Backdoor targeting Tibetan NGOs

This was a malware attack targeting Tibetan NGOs (Non-Governmental Organizations). The attack consisted of luring the victim into visiting a malicious website, which then would drop a malicious payload on the target’s computer using Java CVE-2011-3544 vulnerability and execute it.

The webserver would serve a platform-specific JAR (Java Archive) dropper based on the browser’s UserAgent String to infect the user’s Windows or OS X system.

OSX/Lamadai.A has built-in features typical of a backdoor: namely the download and execution of an arbitrary file, uploading of local files to the operator’s Command and Control (C&C) server, and spawning of a command-line shell. It is the Mac OS X payload of a multi-platform attack exploiting the Java vulnerability ( CVE-2011-3544) to infect its victims.

The OS X-specific dropper was also served to Linux clients. However, since the dropped payload is designed for OS X only, Linux clients will not be infected. OS X uses the Mach-O file format for its executable files. For OSX/Lamadai.A, the Mach-O executable was compiled for 64-bit only, which is unusual since Mach-O binaries normally contain both the 32-bit and 64-bit versions of the executable.

ESET threat descriptions:

Related blogs:

Kitm and Hackback

Malware families with spying capabilities tied to Operation Hangover and the attack against an activist at the Oslo Freedom Forum

OSX/Kitm is a backdoor that can be used for spying on the victim. It has the capability to run additional executables sent by the attacker on the infected computer, thus expanding its functionality. The trojan is also able to create screenshots and send these to a remote computer.

It modifies the /Users/%username%/Library/Preferences/ file to ensure its execution on every system start:

OSX/Hackback is a trojan with similar functionality to OSX/Kitm, most likely created by the same malware-writer.

These malware families have been tied to malware operations Operation Hangover and the espionage targeted attack against an activist at the Oslo Freedom Forum.

ESET threat descriptions:

Related blogs:


A dubious browser plug-in serving advertisement with content-injecting and redirecting capabilities

OSX/Adware.Yontoo is an example of grayware and Potentially Unwanted Applications (PUAs) hitting OS X as well as Windows.

On OS X, the malware takes form of a plug-in or extension for one of the popular browsers: Safari, Chrome or Firefox.

The purpose of the plug-in is to serve advertisements. It has the characteristic traits of a trojan, with the ability to inject content into displayed web-pages and redirect users to arbitrary sites.

As is the case with other grayware, Yontoo also appeared as a legitimate company and was surrounded by heavy speculation regarding the usefulness or maliciousness of their software.

Apple has released updated XProtect malware definitions to protect against this bogus Yontoo (identified as “OSX.AdPlugin.i”)

ESET threat descriptions:

Related blogs:

Related white papers:

Minesteal a.k.a. Minesweep

A cross-platform Trojan written in Java targeting online gamers

Similar to the notorious Win32/PSW.OnlineGamesfamily on Microsoft Windows, Java/Spy.Minesteal is also a threat targeting online gamers.

The trojan steals login credentials for the game Minecraft. It masquerades as a “Minecraft Hack Kit” offering players additional in-game options.

Written in Java, the cross-platform trojan can affect both OS X and Windows.

ESET threat descriptions:

Fucobha (Icefog)

An espionage backdoor used in targeted attacks against Asian corporations and governments.

This is the OS X version of malware used in targeted attacks against several targets in Eastern Asia. Windows trojans have also been used in these attacks. According to our observations, the Fucobha malware operators selectively target their victims.

The malware is designed to steal sensitive information and leaves almost no trace on the compromised system.


The malware has spread disguised as legitimate OS X applications, for example Img2icns, AppDelete and CleanMyMac. Upon infection it installs a backdoor on the target computer. OSX/Fucobha has mostly been detected in China but we’ve received ESET LiveGrid® reports from other countries as well.

For espionage purposes the malware is capable of:

  • Hijacking email account credentials and passwords to various network resources on the company LAN
  • Sending arbitrary documents and files from the infected computer to its Command and Control (C&C) server
  • Collecting system information from the infected computer
  • Running arbitrary shell commands and database queries on the infected system
  • Downloading remote files from the C&C and executing them


A backdoor using Perl scripts and native Mach-O binaries.

The backdoor dubbed Pintsized consists of two components: Perl scripts stored in .plist files and a Mach-O binary.

The backdoor dubbed Pintsized consists of two components: Perl scripts stored in .plist files and a Mach-O binary. After infection, a reverse shell is opened on the compromised machine, granting attackers remote access to the system.


OSX/Pintsized uses modified versions of OpenSSH, named “cupsd”, to encrypt the network communication with the C&C server using an embedded RSA key.

On a compromised system the modified version of OpenSSH is located in: “/Users/[USER NAME]/.cups/cupsd“.


A trojan distributed via fake delivery notice emails

OSX/LaoShu.A has been spreading by a fake email from FedEx notifying the recipient about an undelivered item. The user is instructed to click on a link for more information about the delivery. Although the email appears to link to a PDF document on a legitimate FedEx domain, clicking on the link directs the victim to an application hosted on the attacker's server.

The downloaded file is an application but uses a PDF document icon to mislead the user. After launching the file, however, OS X will notify the user that it is, in fact, an application. Interestingly, this piece of malware is digitally signed in order to bypass Gatekeeper security on Mac OS X 10.8 and 10.9.

When executed, OSX/LaoShu can perform a variety of malicious actions, such as:

  • Download files from the Command and Control (C&C) server and execute them on the target computer.
  • Upload files found on the target computer to the C&C.
  • Run arbitrary shell commands.

Appetite (Mask, Careto)

The OS X component used in cyber-espionage attacks against multiple targets.

OSX/Appetite is the Mac OS X component reported in targeted attacks against multiple government, diplomatic, corporate and other targets.

The sophisticated threat also comprises of Windows components and utilizes rootkit and bootkit techniques.

The OS X backdoor connects to a Command and Control (C&C) server and awaits commands from the attacker. It can perform the following malicious actions:

  • Execution of arbitrary programs on the local computer
  • Execution of arbitrary shell commands


Malware designed to steal Bitcoins with additional backdoor functionality.

CoinThief is a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

The trojan has been spreading using several different methods: on Github (where the trojanized compiled binary didn’t match the displayed source code), on popular and trusted download sites – CNET's and, and as cracked applications via torrents. Multiple legitimate applications have been abused to camouflage the trojan. Some examples include: Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role is to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples have targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. The malicious transaction would take place only if the victimized wallet contained at least 2BTC.

The browser extensions target Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitor visited websites, download malicious JavaScripts and inject them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

Furthermore, the backdoor component enables the attacker to take full control over the victim’s computer. Based on our analysis the backdoor can perform the following actions:

  • collect information about the infected computer, the user and installed software
  • execute arbitrary shell scripts on the target computer
  • upload an arbitrary file from the victim’s hard drive to a remote server
  • update itself to a newer version


Related blogs:


A backdoor dropper exploiting a vulnerability in the MacKeeper software

OSX/Agent.AE comes as a dropper with an embedded binary that serves as a backdoor providing remote access to the system.

Once installed, it first checks internet connectivity of the infected computer. If successful, it opens a silent communication channel with a remote location.

The main features of the malware are as follows:

  • Downloading files and running them after adding permission for execution
  • Executing shell commands
  • Uploading files to a remote location


the OSX component of an APT attack targeting Chinese organizations

A multiplatform APT threat, targeting both Windows and OS X, that disguises itself as an Adobe Flash update and spreads as an attachment of spearfishing emails. It has been targeting government agencies, maritime institutes, research organizations, and shipping enterprises, almost exclusively in China.

OSX/OceanLotus is a malicious application bundle. It contains the main binary serving as a dropper and two additional hidden encrypted objects in the resources. The first encrypted file is a copy of the dropper and the second file is the malicious payload: a backdoor under the name pboard in a temporary directory with the following features:

  • Running shell commands like listing directory contents, moving, removing or copying files
  • Downloading a file or an application bundle from a remote computer and executing it
  • Listing recently opened documents and currently opened windows
  • Capturing a screenshot
  • Displaying a process status or killing a process

It installs itself in a hidden directory named /Library/Logs/.Logs, under the name corevideosd. In order to increase its persistence, the malware adds the autostart configuration into the LaunchAgents directory.


the first in-the-wild crypto-ransomware for OSX

This threat was spreading via a malicious version (2.90) of an otherwise legitimate open source BitTorrent application Transmission. It was available for downloading for a short period of time at the official Transmission’s website and signed with a legitimate developer certificate.

Once executed, it stays hidden for three days before its activation. Afterwards, it encrypts victim’s files using effectively unbreakable AES-256 and RSA-2048 algorithms and demands ransom. All the files in the /Users and /Volumes folders are enumerated for encryption and every file has its own encryption key by following the same pattern: the 256-bit key for the AES algorithm is randomly selected and applied to the file, then the AES key is encrypted with the RSA algorithm and the result is stored in the file. On its trigger date, it connects to one of several sites hosted in the TOR network in order to download a ransom text message and the RSA public key.

Related blogs:


a backdoor that exfiltrates victims’ credentials from their keychains

The first stage of this threat is a downloader distributed as a zipped file. The file contains an unsigned Mach-O executable with a benign looking extension, such as .txt or .jpg. However, the file extension actually contains a space character at the end, so double-clicking the file in Finder would not cause launching in Preview or TextEdit but in Terminal instead. Once started, it downloads and executes a backdoor component and replaces itself with an embedded decoy document that is also displayed afterwards.

The backdoor is packed with a modified version of the UPX compression utility.

To assure persistence after system reboot, it places a plist in the corresponding LaunchAgents directory. When running with administrator privileges, it also changes its privilege settings in a way that it would always run as root in the future. It is equipped with a mechanism for gathering and exfiltrating passwords and keys stored in the system’s keychain. The backdoor supports multiple commands, allowing the malware to perform the following actions:

  • Uninstalling itself
  • Updating itself with a base64-encoded file or a URL
  • Downloading and executing a Python script from a URL
  • Executing a shell command and reporting the output back
  • Requesting administrator privileges by spawning a fake dialog
  • Managing an additional executable called authd_service

Related blogs:


a Tor-powered backdoor accessing victim’s webcam

This malware comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The attackers get hold of this address using the Pastebin agent which uploads it in encrypted form to the Pastebin website.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

  • Managing files like viewing, renaming, uploading, downloading, archiving, etc.
  • Executing shell command
  • Connecting via bind/reverse shell
  • Connecting to various database management systems such as MySQL or SQLite
  • Listing processes
  • Sending emails with an attachment
  • Capturing and browsing images and videos from the victim’s webcam


an OSX component of a large cybercriminal toolkit for targeted attacks

OSX/Komplex belongs to a set of malicious tools operated by a cybercriminal group called Sednit (aka Sofacy). The group is targeting major entities like governmental and industrial organisations. The trojan has three main parts that are executed in a cascade. In the first step, a decoy document to distract the victim is displayed and an additional executable is dropped in the system

Komplex documetn screenshot

The second step is responsible for ensuring that the threat is executed at every system start. Finally, a payload is run to open a silent communication channel with a remote location and to gain full access to the compromised computer, this involves

  • Executing shell commands
  • Downloading and executing files from the Internet
  • Exfiltrating files to a remote location

Related blogs:


a crypto-ransomware for OSX

This ransomware was caught spreading via BitTorrent distribution sites in February 2017, masquerading as “Patcher”, an application used for pirating popular software. “Patchers” for Adobe Premiere Pro and Microsoft Office for Mac were spotted in the wild, but versions for other software might have been distributed as well.

Komplex documetn screenshot

The downloaded torrent contains an application bundle in the form of a single zip file. After launching the fake application, the main (transparent) window of the ransomware is displayed, as depicted above.

The file encryption process is launched after the user clicks “Start”. Once executed, the ransomware uses the arc4random_uniform function to generate a random 25-character string and sets it as encryption key on all of the victim’s files. It then demands ransom in Bitcoin, as instructed in the “README!” .txt file copied all over the user’s directories.

Despite the instructions being quite thorough, OSX/Filecoder.E lacks the functionality to communicate with any C&C server, and therefore makes it impossible for its operators to decrypt affected files. The randomly generated encryption key is also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

Related blogs: