OSX Kitmos analysis
Jump to navigation
Jump to search
(Publication) Google search: [1]
OSX Kitmos analysis | |
---|---|
Botnet | HangOver |
Malware | Kitmos |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2013 / 2013-05-20 |
Editor/Conference | Steeve Barbeau |
Link | http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html blog.sbarbeau.fr (blog.sbarbeau.fr Archive copy) |
Author | Steeve Barbeau |
Type | Blogpost |
Abstract
“ On 16th of May, Sean Sullivan has published an article on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by Jacob Appelbaum during an Oslo Freedom Forum workshop.
According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found here. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.
This sample contains two C&C url which in fact are at the moment pointing to the same server at IP 50.116.28.24 (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1331, editor = {Steeve Barbeau}, author = {Steeve Barbeau}, title = {OSX Kitmos analysis}, date = {20}, month = May, year = {2013}, howpublished = {\url{http://blog.sbarbeau.fr/2013/05/osx-kitmos-analysis.html blog.sbarbeau.fr}}, }