New Mac Malware Used in Cyberespionage Campaign

Credit: John David Bigl III/Shutterstock

(Image credit: John David Bigl III/Shutterstock)

A dangerous new type of Mac malware has been discovered, and the criminals behind it appear to be a group known for targeting United States industrial companies. Experts say the malware proves that cybercriminals are increasingly targeting Macs as well as PCs.

The malware, a backdoor program called XSLCmd, uses a technique called "reverse shell" to install itself on a targeted Mac OS X computer. It can then download more malware to the infected Mac, create lists of the files stored on the computer and transfer those files to other computers.

MORE: Can You Trust Apple with Your Data?

XSLCmd originated as Windows malware in 2009. The new Mac version, detected by security company FireEye, has two new features: it logs every keyboard press a user makes (to collect users' passwords, search histories, email messages and more) and takes screenshots.

XSLCmd also checks the version number of the Mac's operating system, but doesn't seem to be able to account for anything higher than Mac OS X 10.8 Mountain Lion. FireEye's researchers suggest that Mountain Lion was probably the most recent, or at least the most common, Mac operating system at the time that XSLCmd was written, which would make it at least 10 months old.

FireEye classifies XSLCmd as an "advanced persistent threat" (APT), industry shorthand for a probably state-sponsored, possibly Chinese, espionage campaign. At least one known group of spies, which FireEye calls GREF, uses XSLCmd and frequently targets the U.S. defense industry. Other targets include international electronics companies, engineering companies, foundations and non-governmental organizations, particularly those with a focus on Asia.

GREF is also known for using highly sophisticated attacks and exploits in their attacks, instead of relying on phishing and other types of social engineering to penetrate targets.

This is serious news for critical-infrastructure operators, but also means regular Mac users probably won't be targeted by XSLCmd.

It's also not the first time researchers have found criminals adapting Windows malware for Mac devices.

"Across the global threat landscape, there has been a clear history of leveraging (or porting) Windows malware to the Apple OS X platform," FireEye notes in its blog. 

Macs are attractive to cybercriminals for a number of reasons.

"OS X has gained popularity across enterprises, from less-savvy users who find it easy to operate, to highly technical users that utilize its more powerful features, as well as with executives," noted the FireEye blog posting. "Many people also consider it to be a more secure computing platform, which may lead to a dangerous sense of complacency in both IT departments and with users."

A more detailed description of how XSLCmd uses reverse shell to infect Mac computers can be found in FireEye's writeup of the malware.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.