Morcut/Crisis: More sophisticated and potentially more dangerous
Fake antivirus software typically makes money for cybercriminals by convincing users to provide personal credit card information for software they don’t need. For most enterprises, the downside risks of fake antivirus have been modest. But malware such as OSX/Morcut-A (aka Crisis), first discovered in late July 2012, presents greater risks.
Designed for spying, Morcut can remotely monitor virtually every way a user communicates: mouse coordinates, IM, Skype call data, location information, the Mac’s webcam and microphone, clipboard contents, keystrokes, running apps, web URLs, screenshots, calendar and address book contents, alerts, device information, and even file system metadata.
Morcut appears as a Java Archive file (JAR) claiming to be digitally signed by VeriSign. If installed by the user, Morcut deploys kernel driver components to hide and run without administrator’s authentication; a backdoor component which opens the Mac to other network users; command and control to accept remote instructions and adapt its behavior; and, most importantly, code for stealing user data.
If Morcut spreads, it will represent a serious threat to internal corporate security and compliance. Its capabilities especially lend themselves to targeted attacks aimed at capturing information about specific known Mac users in pivotal organizational roles. In contrast to most earlier Mac malware, it also reflects an extremely thorough understanding of Mac programming techniques, capabilities, and potential weaknesses.
Similar backdoor techniques are already appearing elsewhere. For instance, we recently saw them embedded in a kit for the first time. The kit, OSX/NetWrdRC-A, is primitive, flawed, and easily halted. But it’s a harbinger of more sophisticated and dangerous attacks to come.
< Back Next >