INCA Internet response team detected multi APT attack for both Mac OS of Apple and Windows OS of Microsoft. Most of reported APT attacks were for Windows so far, however; we got APT attacks for Mac. It means that attackers reflect the rapid growth of Mac user and try to generate malicious file for Mac user. Therefore, Mac users need to be careful from malicious files.
Especially, we need to careful on attachment of e-mail.
2. Malicious file attacking procedure and technique
It attacked with malicious email which contains Uyghur People related contents on Jun, 2012.
Recipient used yahoo Canada's mail service, but he uses Uyghur language on universal web site and uses his name as Uyghurmen.
E-mails are written on 2 types, their attachment name was "matiriyal.zip" but one for Mac and another for Windows malicious file.
Following figure is malicious file for Mac OS.
Following figure is malicious file for Windows.
Each attachment contains same JPG file which is as following.
She is Rebiya Kadeer,a Uyghur human rights activist with origins in Xinjiang, China. Kadeer is the symbolic leader of Uighur self-determination movement in her capacity as President of the World Uyghur Congress, a group that advocates for greater autonomy for Uyghurs in China and fights against what they consider to be oppressive policies of the Chinese government.
Malicious file for Mac is located on "\matiriyal.app\Contents\MacOS\iCnat" and works as Backdoor. Besides it contains some typos including "Recieve", "os verison", "memery".
This malicious file tries to access certain C&C server on China and can perform various additional attacks.
"matiriyal.exe", malicious file for Windows is disguised its icon as MS Word file and compressed by RAR SFX. It contains "1.exe".
"1.exe" creates "kbdmgr.exe" on Temp folder and makes start program folder as hidden. It creates "kbdmgr.lnk" and makes malicious file run on boot.
We have to notice that malicious files for Mac are spreading in these days. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.
Free installation link of nProtect AVS : http://avs.nprotect.com/