Suspected Russian DNC hackers brew Mac trojan

Ruskie space program doc used as spear phish payload.

By Darren Pauli


Suspected Russian hackers fingered for hacking the United States Democratic National Committee (DNC) have brewed a trojan targeting Mac OS X machines in the aerospace sector, says Palo Alto researcher Ryan Olson.

The malware relies on social engineering and exploits a well-known vulnerability in the MacKeeper security software to gain access to machines.

Olson says the group known as "Sofacy", "Pawn Storm" and "Fancy Bear", among other names, is thought to be behind attacks leading to the theft and leaking of DNC emails and research documents.

The group is thought to have also hacked NATO and European organisations in the military sector.

"The Sofacy group created the Komplex trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks," Olsen says.

"The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell.

"... we believe Komplex has been used in attacks on individuals related to the aerospace industry, as well as attacks leveraging an exploit in MacKeeper to deliver the trojan."

Olsen says the malware is similar to the group's Carberp trojan in a move that could simplify compromise of PC and OS X systems with the same command-and-control server.

It delivers information on a target machine including running processes, user identities, and can execute commands sent from the server.

The trojan is shipped within a PDF document on Russian space projects that executes the malware along with a 17-page document, the latter a ruse to cloak the malware's execution. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

♬ Finland, Finland, Finland, the country for new cloud DCs ♬

Forget pony trekking or camping. Finland now boasts a Google cloud region

May the May update be with you: OpenSSL key sniffed from radio signal

'One and Done' attack patched in library's May 2018 release

Optimus multi-prime is the new rule as OpenSSL transforms crypto policies again

If an algo ain't ratified by standards groups, it won't be welcome

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

AWS has a security hub, OpenSSL has a new license, London has a problem with cryptocoins, and more

Roundup Plus, South Carolina convicts go catfishing

OpenSSL alpha adds TLS 1.3 support

Shambling corpse of ancient, shoddy, buggy, crypto shoved towards the grave

Snooping passwords from literally hot keys, China's AK-47 laser, malware, and more

Roundup Your two-minute guide to the week's infosec bits

IoT search engine ZoomEye 'dumbs down' Dahua DVR hijackings by spewing passwords

And noone wants to fix it

Malware scum want to build a Linux botnet using Mirai

Hadoop YARN is the attack vector, so lock it away

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

Now is a good time to get a password manager app