New Mac trojan hints at ties to high-priced commercial hacking toolkit

“French security firm Intego discovered a new Mac Trojan horse this week that is being used to target specific individuals,” Gregg Keizer reports for Computerworld.

“The Trojan, dubbed ‘Crisis’ by Intego — a Mac-only antivirus developer — and called ‘Morcut’ by Sophos, is espionage malware that spies on victims using Mac instant messaging clients, browsers and Skype, the Internet phoning software,” Keizer reports. “According to Intego, which published an initial analysis on Tuesday and has followed up with more information since then, Crisis sports code that points to a connection with an Italian firm that sells a $245,000 espionage toolkit [Remote Control System (RCS)] to national intelligence and law enforcement agencies.”

Keizer reports, “From all indications, Crisis, like any true Trojan, does not exploit a vulnerability, but instead relies on trickery to convince the user to self-infect his or her Mac. ‘We believe that the infection vector may rely primarily on social engineering to be installed and at this point in time there is no reason to believe there is a vulnerability being used in conjunction with the threat,”‘ said Symantec in a post to its security response team’s blog yesterday.”

Read more in the full article here.

[Thanks to MacDailyNews Reader “theloniousMac” for the heads up.]

Related articles:
Warning: New Java trojan targets Apple’s OS X along with Windows, Linux – July 11, 2012
Symantec: Mac Flashback trojan infections declining rapidly, have dropped six-fold in a week – April 18, 2012
Apple releases Flashback trojan removal tool – April 14, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
600,000 Macs infected with Flashback trojan, 274 in Cupertino; how to check your Mac – April 5, 2012
Warning: New Mac trojan hides in pirated graphics software – November 1, 2011
Hackers port Linux trojan to Mac OS X – October 26, 2011
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011
New OS X trojan horse sends screenshots, files to remote servers – September 23, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Sophos details new Mac OS X Trojan – February 28, 2011
Warning: Mac users beware of yet another trojan masquerading as video codec – June 11, 2009
CNN blows it; gets all worked up about a Mac Trojan that isn’t the first nor is it the last – April 23, 2009
Mac trojan expands to affect pirated versions of Photoshop CS4 – January 26, 2009
Intego: Mac trojan horse found in pirated Apple iWork ‘09 – January 22, 2009
New Mac OS X Trojan horse identified – June 23, 2008
Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users – March 29, 2008
Mac trojan makers churn out slightly modified versions to evade anti-malware detection – November 08, 2007
Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version – November 01, 2007
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004


      1. No. Which is why I haven’t bothered. Whenever I read about spyware, I’ve noticed that camera up there and realized that a piece of cardboard would defeat all smartest software on the planet. You seem to be a bit anxious to come across as one of those “big picture” sorta guys. I wouldn’t “work it” so hard if I were you.

          1. Are you positive about this, perryfjellman? The key to the answer is whether the LED is being driven by an independent, dumb circuit that illuminates the LED whenever the camera is activated, or whether the camera is merely accessed by the software and a microprocessor-controlled output turns on the LED. I would pretty much expect it to be the latter. But I would appreciate it if someone who knows for certain about how that LED is activated would weigh in here.

            1. This was hashed out years ago. Apple hard wired the LED into the camera power circuit. If the camera is on, then the LED is on unless someone opens up your Mac and physically bypasses the LED.

      2. BTW, G4Dualie, if and when we get through an upcoming European clinical trial on a new medical implant we’re working on, then I will pay even more attention to cyber-security. A 4-star general recently testified to Congress that the one trillion dollars-worth of intellectual property is being lost due to cyber-espionage each year. How much of that is attributable to the Chinese was classified and wasn’t disclosed in open testimony.

        I’m quite sure the Chinese have little interest in whatever faces you might be making in front of your monitor. But every U.S. company that makes anything remotely high-tech should take computer security very seriously.

        1. the Chinese have been trying to break into multiple US aerospace and defense companies on a monthly basis.

          they have written malware and spyware specifically targeting the networks of more than one of these companies.

          Why the hell we manufacture all of our crap there and consider the country an ally is beyond me. They’ve been robbing the US of technology for years now.

            1. The “giving” it to them part no-doubt accounts for many trillions of dollars of I.P. That is in addition to all the robbing the Chinese have been doing. As I wrote, a 4-star general recently testified before Congress that outright theft accounts for one trillion dollars-worth of I.P. stolen—much of it by China.

            2. There are some things that should have been better thought out. Giving them the technology to make new “Cabbage Patch” dolls is one thing, the technology to make precision ball bearings, for example, another.

            3. You are dead-on correct. It is precisely all that sort of stuff. Western engineers spent decades doing primary metallurgical experiments—much of the good stuff in the 1950s—that was slowly distilled into paint-by-the-numbers know how. And then, just because everyone wants cheaper labor, we had American manufacturers just give it all away.

            4. @ Piccio

              If you are basing your opinion on the premiss that US trade with China is a “level playing field,” you are mistaken. Take just one example of this vaunted “IP” that we will sell them in return for their crap: Hollywood movies. China restricts the number of foreign movies allowed to be shown in the country. They do this with all sorts of industries.

    1. Microphone. Indeed. The best overall anti-cyberspying strategy is what I have installed and swear by: Little Snitch (Little Snitch homepage). It flags all outgoing traffic. You train it for a few weeks until it recognizes various programs that “phone home” to check for upgrades and what not.

      I forget what Mac spyware that recently made the press, but the spyware was designed to not install on any Macs that had either Xcode or Little Snitch installed; they cyber-douches didn’t want their program to be discovered by savy programmer-types.

  1. Hmmm! Quite interesting. Though I am puzzled by what they mean by “being used to target specific indevidual’s”. Who would these individuals be? When they mentioned the ittalian Firm selling these toolkits, my first guess was kind of crazy—That toolkit probably has something to do with the malware. And the Firm is selling that toolkit to governments to spy on other groups and/or nations that
    One a threat. So, in this picture, those groups and nations would be the specific indevidual’s. But, then again, maybe not…..that’s sounds kind of insane.

    …still not certain who those specific indeviduals are though.

    1. That means they design an email targeting a specific person, making it look like it is coming from a friend or other trusted source. Then the target user clicks on an attachment gets infected, potentially then opening up the entire network that user is connected to.

      This is how companies get infiltrated.

      1. I understand that part. What puzzles me is what they mean by “specific indevidual’s”. Like, what group of people or what oranizations are the targets of this Trojan and why?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.