<<<
NEWS FROM THE LAB - Thursday, May 16, 2013
>>>
 

 
Mac Spyware Found at Oslo Freedom Forum Posted by Sean @ 12:29 GMT

The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

Our Mac analyst (Brod) is currently investigating the sample.

It's signed with an Apple Developer ID.

Developer ID

The launch point:

Launch point

It dumps screenshots into a folder called MacApp:

Screenshot dump folder

Functions:

Functions

There are two C&C servers related to this sample:

DomainTools, securitytable.org
securitytable.org

DomainTools, docforum.info
docsforum.info

One C&C doesn't currently resolve, and the other:

docsforum.info
Forbidden

Our detection is called: Backdoor:OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e)