OSX Kitmos analysis
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
| OSX Kitmos analysis | |
|---|---|
| Botnet | HangOver |
| Malware | Kitmos |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2013 / 2013-05-20 |
| Editor/Conference | Steeve Barbeau |
| Link | http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html blog.sbarbeau.fr (blog.sbarbeau.fr Archive copy) |
| Author | Steeve Barbeau |
| Type | Blogpost |
Abstract
“ On 16th of May, Sean Sullivan has published an article on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by Jacob Appelbaum during an Oslo Freedom Forum workshop.
According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found here. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.
This sample contains two C&C url which in fact are at the moment pointing to the same server at IP 50.116.28.24 (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1331,
editor = {Steeve Barbeau},
author = {Steeve Barbeau},
title = {OSX Kitmos analysis},
date = {20},
month = May,
year = {2013},
howpublished = {\url{http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html blog.sbarbeau.fr}},
}