New software ported from Windows to Mac! You'll never guess what. Yes, it's spyware

XSLCmd coming your way, whether you like it or not

Spying image

Miscreants have ported five-year-old spyware XSLCmd to OS X.

The Windows version of the malware has been around since 2009, and the Apple Mac edition of XSLCmd shares significant portions of the same code. It can open a reverse shell to its masters, automatically transfer your documents to a remote system, install executables, and is configurable.

But the OS X port adds new features, according to net security firm FireEye, which claims to have discovered the backdoor-installing tool.

"The OS X version of XSLCmd includes two additional features not found in the Windows variants we have studied in depth: key logging and screen capturing," FireEye said.

The infosec biz tracked the development of the software to a group it has named GREF due to the gang's habit of dropping references to Google in their nefarious activities.

GREF has targeted US defense contractors to electronics and engineering companies worldwide, as well as foundations and non-government organizations – especially those with interests in Asia.

The gang's favorite tactic involves setting up watering holes: essentially, hacking websites popular with workers in the aforementioned industries to inject a malicious JavaScript file into the sites' webpages.

The mechanism to pull in the code is tucked away inside blocks of Google Analytics code. Once executed, the JavaScript gets to work pulling in and installing XSLCmd.

FireEye explained that "true to their moniker the link was usually placed inside an existing Google Analytics code block in the page source code to help obscure it, rather than simply appended to the end of the file like many other attackers did."

GREF have often used web server vulnerabilities to lay the groundwork for attacks.

"They have been known to leverage vulnerabilities in ColdFusion, Tomcat, JBoss, FCKEditor, and other web applications to gain access to servers, and then they will commonly deploy a variety of web shells relevant to the web application software running on the server to access and control the system," FireEye researchers James T. Bennett and Mike Scott wrote in their blog post.

Surveillance and remote-control tools targeted at Mac users are uncommon. However, security tools vendor AlienVault documented an Office for Mac attack targeting Tibetan non-government organizations two years ago.

And the so-called IceFrog group hit South military and media outlets in Korea and Japan last year after developing backdoor-installing malware that worked on Mac and Windows machines, as discovered by Russian security firm Kaspersky Lab. ®

Biting the hand that feeds IT © 1998–2019