The recent emergence of rogue security software applications for Mac demonstrates how cybercriminals effectively use social engineering techniques to manipulate users’ responses - specifically, exploiting user’s fear of revealing sensitive information such as credit card details. This scare tactic evidently works regardless of the platform.  While financial gain is primarily the motivation that drives elaborate schemes of Internet fraud, a threat that appears limited and specific to its target raises interesting questions about whether this threat is on a mission.
 
A recently discovered backdoor for Mac (that we detect as Backdoor:MacOS_X/Olyx.A) was found in an interesting package named “PortalCurrent events-2009 July 5.rar”, anonymously submitted through VirusTotal (SHA1 1c100e7f3bda579bb4394460ef530f0c6f63205c).  The package suggests that the content was extracted from Wikipedia community portal current events 2009 July 5 page ; although, the revision history shows that the last edited version was a year ago. However, if this is true, the update to the package could be an attempt to slip in a backdoor.
 
The content folder includes photos from events on June 15th 2011. Alongside are two malicious binary executable files (with SHA1s 90EBC867D3E69F10FC45E28DC87789B1C7092C5F and
0B0CA1263DF13E124A8DB0B744F8A6462E41FE44):
  • Video-Current events 2009 July 5.exe (205,480 bytes) PE EXE
  • Current events 2009 July 5 (50,956 bytes) Mach-O I386
In an interesting side note, the malicious Windows executable file (detected as Backdoor:Win32/Wolyx.A) contained a valid digital signature as follows:
 
Issued By:      WoSign Code Signing Authority
Issued To:      CN, Yunnan, Kunming, Kunming Wuhua District YanXing Technology Sales Department, WoSign Class 3 Code Signing, Kunming Wuhua District YanXing Technology Sales Department
Thumbprint:     4C5F10834A0E0EF74EA7DE36A21BD327373421D2
Sign Time:      (None)
Effective On:   11/03/2009 00:00
Expired On:     11/02/2012 23:59
 
Note: This certificate has since been revoked.
 
The Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named “google” in the /Library/Application Support directory, where the backdoor installs as “startp”. It also keeps a copy in the temporary folder as "google.tmp".  It creates “www.google.com.tstart.plist” in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in - this applies to all accounts on the system.
The backdoor initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts until established.
 
Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia.
 
Furthermore, another interesting observation here is that the feature set and the code found in this backdoor appear to be similar to that of Gh0st RAT 3.6, also known as “Ghostnet”. We detect the Ghostnet backdoor as Backdoor:Win32/Remosh.A.

Meths Ferrer