The Channel logo

News

By | John Leyden 5th September 2014 23:43

New software ported from Windows to Mac! You'll never guess what. Yes, it's spyware

XSLCmd coming your way, whether you like it or not

Miscreants have ported five-year-old spyware XSLCmd to OS X.

The Windows version of the malware has been around since 2009, and the Apple Mac edition of XSLCmd shares significant portions of the same code. It can open a reverse shell to its masters, automatically transfer your documents to a remote system, install executables, and is configurable.

But the OS X port adds new features, according to net security firm FireEye, which claims to have discovered the backdoor-installing tool.

"The OS X version of XSLCmd includes two additional features not found in the Windows variants we have studied in depth: key logging and screen capturing," FireEye said.

The infosec biz tracked the development of the software to a group it has named GREF due to the gang's habit of dropping references to Google in their nefarious activities.

GREF has targeted US defense contractors to electronics and engineering companies worldwide, as well as foundations and non-government organizations – especially those with interests in Asia.

The gang's favorite tactic involves setting up watering holes: essentially, hacking websites popular with workers in the aforementioned industries to inject a malicious JavaScript file into the sites' webpages.

The mechanism to pull in the code is tucked away inside blocks of Google Analytics code. Once executed, the JavaScript gets to work pulling in and installing XSLCmd.

FireEye explained that "true to their moniker the link was usually placed inside an existing Google Analytics code block in the page source code to help obscure it, rather than simply appended to the end of the file like many other attackers did."

GREF have often used web server vulnerabilities to lay the groundwork for attacks.

"They have been known to leverage vulnerabilities in ColdFusion, Tomcat, JBoss, FCKEditor, and other web applications to gain access to servers, and then they will commonly deploy a variety of web shells relevant to the web application software running on the server to access and control the system," FireEye researchers James T. Bennett and Mike Scott wrote in their blog post.

Surveillance and remote-control tools targeted at Mac users are uncommon. However, security tools vendor AlienVault documented an Office for Mac attack targeting Tibetan non-government organizations two years ago.

And the so-called IceFrog group hit South military and media outlets in Korea and Japan last year after developing backdoor-installing malware that worked on Mac and Windows machines, as discovered by Russian security firm Kaspersky Lab. ®

comment icon Read 30 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

Locker room jocks photo via Shutterstock
Best locker-room strategy: Avoid emulating AWS directly
STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock