OSX Kitmos analysis

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

OSX Kitmos analysis
Botnet HangOver
Malware Kitmos
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2013 / 2013-05-20
Editor/Conference Steeve Barbeau
Link http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html blog.sbarbeau.fr (blog.sbarbeau.fr Archive copy)
Author Steeve Barbeau
Type Blogpost


On 16th of May, Sean Sullivan has published an article on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by Jacob Appelbaum during an Oslo Freedom Forum workshop.

According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found here. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.

This sample contains two C&C url which in fact are at the moment pointing to the same server at IP (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1331,
   editor = {Steeve Barbeau},
   author = {Steeve Barbeau},
   title = {OSX Kitmos analysis},
   date = {20},
   month = May,
   year = {2013},
   howpublished = {\url{http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html blog.sbarbeau.fr}},