Earlier this week, new Mac spyware was discovered on a computer at the Oslo Freedom Forum, which is an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by the anti-virus company F-Secure according to CNET.
The malware is a backdoor application named “macs.app” which automatically launches upon login and captures screenshots that it then sends to a MacApp folder in the user’s home directory. There have been two command-and-controls servers, which are located at securitytable.org and docsforum.info that are associated with the malware. One doesn’t function and the other gives a “public access forbidden” message though.
Interestingly enough, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple’s Gatekeeper security option. According to the folks at CNET:
This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.
Source: F-Secure via CNET