ID: IRCNE2013101976
Date: 2013-10-05
According to "zdnet", in a report on the Icefog APT (Advanced Persistent Threat) Kaspersky Lab reveals that the authors created a Mac program to connect to their botnet. It was used in limited, experimental attacks in the far east, primarily in South Korea and Japan.
The Windows versions of the threat date back at least to 2011. The Mac version presents very differently: It is hidden in a bundle with the legitimate graphics program Img2icns, which converts images to icons and vice-versa. When the user installs and then loads Img2icns, they also load the Icefog trojan.
The poisoned Img2icns appeared in Chinese BBS forums in late 2012. Kaspersky believes the program was an experiment as parts of it are incomplete.
The backdoor portions of the program are similar to their Windows counterparts: they collect information about the host system, report it back to the command and control server and then request commands to execute. The program is a 64-bit binary and compatible only with OS X 10.7 and 10.8.
Kaspersky says that a few hundred users were infected with the Mac Icefog, although they haven't identified any specific infected systems. They speculate that this version was a trial (beta) run for a program to be used later in targeted attacks.
Antimalware companies are slowly catching up to Icefog. According to Virustotal's most recent analysis of the components (performed at 16:21:39 UTC on 9-29-2013) it was detected by 10 of the 44 products they tested.
- 3