Beware of OSX/KitM Mac Spyware

Security researchers at F-Secure Lab reported the discovery of new forms of malicious code named KitM, the malware targets Mac OS X operating system. KitM (Kumar in the Mac) is also known as HackBlack and is a kind of backdoor, which makes screenshots and sends them to a remote server controlled by hacker’s. It also opens the Shell-access on infected computer, allowing attacker to execute commands on victim PC.

Recent malicious code samples detected were signed by a valid certificate Apple Developer ID, issued by Apple for Rajinder Kumar, as well as a valid certificate to bypass security tool Gatekeeper, present in Mac OS X Mountain Lion.

The first two samples of malicious programs detected by F-Secure, connected to the C&C servers in Netherlands and Romania. on the other hand, security vendor Norman Shark reported that the codes used for KitM used on Operation Hangover. KitM-active options were used for attacks in the period from December last year to February this year.


 Customizing Mac Setting to use on App Store (Click to enlarge)

It is also important to note that compromised certificate were removed by Apple last week, but this will not help victims that are already running the malware as the Gatekeeper tool verifies certificate only once. it is recommended that you change the Gateskeeper to use only App store.

If you are using Mac Computer make sure to apply the following:

  • Install antivirus software with latest signature.
  • Make sure to have all application and software updates to fix any vulnerability on your PC.
  • Use only trusted sources for update such App store.
  • Never click or open attachments from untrusted sources.
Notify of
Inline Feedbacks
View all comments