Additional malware strains for Macs surface, GateKeeper still recommended as means of protection

After a hiatus, a trio of three new discovered Mac malware strains have emerged.

The strains, once installed, have the potential to access Web cameras, password keychains, and pretty much every other resource on an infected machine.

The first one, as mentioned yesterday, has been dubbed “Elanor” by researchers at antivirus provider Bitdefender and is hidden inside EasyDoc Converter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When double clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac’s file system and webcam, making it possible for attackers to download files, install new apps, and watch users who are in front of an infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them from being taken down or being used to identify the attackers.

If installed, Elanor has the potential to lock you out of your Mac, threaten to blackmail you to restore your private files or configure your computer into a botnet to attack other devices.

Oddly enough, Elanor won’t install itself if it detects a Mac is running Little Snitch, an application firewall that can monitor and control applications’ access to the Internet, researchers from fellow antivirus provider Malwarebytes reported recently.

The second malware strain has been identified as “Keydnap” and its primary function is to siphon passwords and cryptographic keys stored in a Mac’s keychain feature. The developer openly lifted code from Keychaindump, a proof-of-concept app that streamlines the exfiltration of keychain contents when an attacker knows a Mac’s password.

Researchers from Eset, the AV provider that disclosed Keydnap, discovered a clever trick Keydnap’s developers employ to increase the chances an end user will install the malware. Once unpacked from a zip file, the installation file contains a Mach-O executable that’s disguised to look like a benign text document or image file. Immediately following the .txt or .jpg extension, the developers added a space character. As a result, double-clicking on the file will launch the file in a Mac’s terminal window where it can then be executed.

It’s presently unknown as to how Keydnap is being distributed into the wild, although it’s currently thought that it’s being passed along in spam emails or downloads from untrusted sites.

Pirritt, the third piece of malware can technically be classified as adware given that its sole function is to inject a barrage of pop-up ads on infected machines. Pirritt stands as a variant of an app spotted earlier this year, but installs a backdoor that could allow a third party to do almost anything they want to with your Mac.

“Attackers could have used the capabilities built into OSX.Pirrit to install a keylogger and steal your log-in credentials or make off with your company’s intellectual property, among many other bad outcomes,” Amit Serper, a researcher with security firm Cybereason, wrote in a report published Wednesday. “Even Macs are vulnerable to threats.”

He went on to say that a removal script released in April recently stopped working because the adware had mutated. Code contained in the new variant led him to believe it was developed by someone at TargetingEdge, an Israeli marketing company.

Elanor and Keydnap are only the second and third pieces of full-blown Mac malware spotted so far this year, with the discovery in March of the KeRanger crypto ransomware being the first, Malwarebytes Director of Mac Offerings Thomas Reed said. If Pirrit is lumped in, the number would grow to four.

None of the newly disclosed backdoors are signed by Apple-trusted signing certificates. That means people who use the default settings of OS X are automatically protected, thanks to a security feature known as Gatekeeper. Although there are simple ways attackers can defeat Gatekeeper protections, the protections still provide a layer of security that can drastically lower the chances of a Mac being successfully infected. Users should only change the default settings after carefully thinking through the decision.

Stay tuned for additional details as they become available.

Via Ars Technica