Researchers find more versions of digitally signed Mac OS X spyware

The malware is connected to Indian cyberespioange operation and has been active since at least December 2012, researchers say

Security researchers have identified multiple samples of the recently discovered "KitM" spyware for Mac OS X, including one dating back to December 2012 and targeting German-speaking users.

KitM (Kumar in the Mac), also known as HackBack, is a backdoor-type program that takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server. It also opens a reverse shell that allows attackers to execute commands on the infected computers.

The malware was initially discovered last week on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, a human rights conference in Norway, by security researcher and privacy activist Jacob Appelbaum.

The most interesting aspect of KitM is that it was signed with a valid Apple Developer ID, a code-signing certificate, issued by Apple to someone named "Rajinder Kumar." Applications signed with a valid Apple Developer ID bypass the Gatekeeper security feature in Mac OS X Mountain Lion, which verifies the origin of files to determine whether they pose any risks to the system.

The first two KitM samples found last week connected back to C&C servers hosted in the Netherlands and Romania. Researchers from security vendor Norman Shark linked the domain names of those servers to the attack infrastructure of a large cyberespionage campaign of Indian-origin dubbed "Operation Hangover."

On Wednesday, F-Secure researchers obtained more KitM variants from a Germany-based investigator. These samples were used in targeted attacks between December and February and were distributed via spear-phishing emails carrying .zip archives, the F-Secure researchers said in a blog post.

Some of the malicious attachments were called,,, Content_of_article_for_[NAME REMOVED] and

"Though the spear phishing payloads are not particularly 'sophisticated,' the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework," the F-Secure researchers said Thursday in a different blog post.

The KitM installers contained in the .zip archives are Mach-O executables, but have icons corresponding to image and video files, Adobe PDF documents and Microsoft Word documents. This is a trick frequently seen with Windows malware distributed via email.

The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won't immediately help existing victims, according to Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender.

"Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed," Botezatu said Thursday via email. "If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines."

Apple could use another malware protection feature called XProtect to blacklist the known KitM binary files. However, other versions that haven't been discovered yet might exist.

In order to prevent the execution of any digitally signed malware file on their computers, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, security researchers from F-Secure said.

However, this setting would be inconvenient for users in corporate environments, who need to run custom software developed in-house, Botezatu said. Such custom applications are intended for internal use only and are not published on the Mac App Store, so a more restrictive Gatekeeper setting would likely complicate their deployment process, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityNorman Sharkf-securespywaremalwarebitdefender

More about Adobe SystemsAppleF-SecureMicrosoftNormanNorman

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place