A group of hackers known to have been the architects of various attacks in the past against the US Defense Industrial Base., as well as other important companies in the sector, has recently started using a program that includes a backdoor to attack systems with OS X.
FireEye security researchers already commented on a blog Thursday that the backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past few years, having been updated many times in the process.
The malicious program is dubbed XSLCmd and is capable of opening a reverse shell for file control and transfer, as well as the installation of other malicious programs on the infected computer. The OS X variant can also register keystrokes and screenshots, according to FireEye researchers.
When installed on a Mac, this malware installs itself in »/ Library / Logs / clipboardd» and »HOME / Library / LaunchAgents / clipboardd«. It also creates a com.apple.service.clipboardd.plist file to ensure it runs after the system reboots. The malware contains code that checks the version of OS X, but not versions above OS X 10.8 (Mountain Lion). This suggests that version 10.8 was either the last version of OS X when the program was written or at least the most common one used for its intended purposes.
The XSLCmd backdoor was created and used by a cyber espionage group that has been operating since at least 2009 and has been dubbed GREF by FireEye researchers. “Historically, GREF has led a wide range of organizations, including the United States Defense Industrial Base (DIB), electronics and engineering companies around the world, as well as foundations and other non-governmental organizations, especially those with interests in Asia. ».
According to FireEye:
OS X has gained popularity among businesses, with inexperienced users quickly adapting to the new system and finding it easy to operate, even high-tech users using more powerful features, as well as executives [… ] Many people also consider it to be a more secure computing platform, which can lead to a dangerous sense of complacency in both IT departments. In fact, while the security industry has begun offering more products for OS X systems, these systems are sometimes less regulated and supervised in corporate environments than their Windows counterparts.
