Researchers at Kaspersky Lab intercepted a Mac-based Trojan attack was targeting Uyghur human rights activists.
According Costin Raiu, Director of Kaspersky's Global Research and Analysis Team, the campaign uses malicious e-mails containing a JPEG photo and a Mac OS X app embedded in a ZIP file.
When recipient open the zip file, it will the malware installs itself on the Mac OS system system and then attempts to connect to a Command and Control (C&C) server and allow the attacker to run commands on the infected computer and access its files.
“The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as 'Backdoor.OSX.MaControl.b'," Raiu noted a in a blog post.
"The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size. The configuration block is obfuscated with a simple “substract 8” operation. " he added.
Researchers appear to have traced the C&C server to an IP address in China.
Similar to Kaspersky Lab's discovery, AlienVault Labs claims to have found another backdoor that targets windows users.
Transmitted through email, the attack also includes a zip file - along with a Winrar file. The file extracts a binary that goes on to copy itself but not before dropping a DLL file on the system. After its injected, the DLL file appears to help initiate Gh0st RAT, a well-known remote access tool. Gh0st RAT was served up by Amnesty international’s website just last month and has been used in other targeted attack campaigns in recent years.
