New backdoor Mac OS X Trojan surfaces

There are many good reasons to choose a Mac machine, and among those is surely the fact that malware for OS X still pops up rarely. As Apple slowly but surely increases its market share, we are sure to witness more and more malicious code written specifically for targeting Mac users.

In the meantime, even what seems to be a beta version of a Mac OS X Trojan is enough to raise our heads from the keyboard and take notice, so Sophos’ researchers warn about a backdoor Trojan that will quite likely have the ability to take over the infected system and perform a series of unwanted actions.

Even though the author named the Trojan “BlackHole RAT”, Sophos calls it MusMinim in order to avoid any mix up with the legitimate “Black Hole” application for clearing sensitive information from Macs.

The Trojan’s interface contains a curious mix of English and German, possibly indicating the nationality of its author(s). The analysis of the code reveals that the Trojan itself is a variant of darkComet – a well-know Windows Remote Access Trojan (RAT).

This type of Trojan typically uses a client-server program to communicate with the infected machine – a server application is installed on the victim’s machine while the client application can be found on the attacker’s machine.

The Trojan apparently allows the attacker to run arbitrary shell commands, send a restart, shutdown or sleep command, send a message which is displayed on the victim’s screen, make specific URLs be opened in the victim’s default browser and engage in phishing by making a fake “Administrator Password” window pop up.

This version is believed do be a beta because the author declares it to be so in the welcome screen and the default message to be displayed on the victim’s screen, but that doesn’t mean it is not already functional and that it cannot already be used – or that it has not already been used.

Sophos already added protection against the threat to its Mac AV solution, so it’s more than probable that other AV vendors will do it soon – if they haven’t already. In the meantime, users are advised to avoid downloading unknown applications from software download and torrent sites, which are usually used to spread malware like this.

More about

Don't miss