[Issue] Multi APT attacks for both Mac and Windows

1. Information

INCA Internet response team detected multi APT attack for both Mac OS of Apple and Windows OS of Microsoft. Most of reported APT attacks were for Windows so far, however; we got APT attacks for Mac. It means that attackers reflect the rapid growth of Mac user and try to generate malicious file for Mac user. Therefore, Mac users need to be careful from malicious files.
Especially, we need to careful on attachment of e-mail.

2. Malicious file attacking procedure and technique

It attacked with malicious email which contains Uyghur People related contents on Jun, 2012.

Recipient used yahoo Canada's mail service, but he uses Uyghur language on universal web site and uses his name as Uyghurmen.

E-mails are written on 2 types, their attachment name was "matiriyal.zip" but one for Mac and another for Windows malicious file.

Following figure is malicious file for Mac OS.

Following figure is malicious file for Windows.

Each attachment contains same JPG file which is as following.

She is Rebiya Kadeer,a Uyghur human rights activist with origins in Xinjiang, China. Kadeer is the symbolic leader of Uighur self-determination movement in her capacity as President of the World Uyghur Congress, a group that advocates for greater autonomy for Uyghurs in China and fights against what they consider to be oppressive policies of the Chinese government.

Malicious file for Mac is located on "\matiriyal.app\Contents\MacOS\iCnat" and works as Backdoor. Besides it contains some typos including "Recieve", "os verison", "memery".

This malicious file tries to access certain C&C server on China and can perform various additional attacks.

"matiriyal.exe", malicious file for Windows is disguised its icon as MS Word file and compressed by RAR SFX. It contains "1.exe".

"1.exe" creates "kbdmgr.exe" on Temp folder and makes start program folder as hidden. It creates "kbdmgr.lnk" and makes malicious file run on boot.

Both malicious files are coded for similar works and malicious file for Windows contains certain string "DDoS".

3. Summary

We have to notice that malicious files for Mac are spreading in these days. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/