Newly Discovered Mac Malware Captures and Stores Screenshots

New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

macapp
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.

This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.

Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

Popular Stories

sonny iphone 16 pro colors

New iPhone 16 and iPhone 16 Pro Colors Revealed Ahead of Apple Event

Friday September 6, 2024 5:01 am PDT by
Apple is "shaking up its color palette" for its iPhone 16 lineup this year, according to well-connected Bloomberg reporter Mark Gurman. Early iPhone 16 Pro dummy models via Sonny Dickson According to Gurman, the iPhone 16 Pro models will come in a Gold Titanium to replace Blue Titanium, while the Black, White, and Natural Titanium options that debuted with the iPhone 15 Pro will remain...
iPhone 16 Pro Mock Article

How Much Will the iPhone 16 Cost?

Friday September 6, 2024 5:43 am PDT by
Apple's next-generation iPhone 16 series is expected to launch on September 20 and will compete in a quickly evolving smartphone market, and with some notable upgrades rumored, the new models could see price changes compared to previous years. Successive iPhone models always come with new features and hardware upgrades, but Apple typically does not increase the retail prices as a result....
its glowtime event youtube

Report Details Last-Minute Apple Event Rumors About New iPhones, Apple Watches, and AirPods

Friday September 6, 2024 4:40 am PDT by
Bloomberg's Mark Gurman today shared his final expectations for Apple's "It's Glowtime" event, providing some new tidbits and clarifications about the new devices set to be announced on Monday. iPhone 16 Pro Along with larger 6.3- and 6.9-inch display sizes, the iPhone 16 Pro and iPhone 16 Pro Max will have bezels that are "now about a third slimmer" for a "sleeker overall look." The...
Generic iOS 18 Feature Real Mock

iOS 18 Coming Later This Month With These 8 New Features

Tuesday September 3, 2024 12:07 pm PDT by
iOS 18 has been in beta testing for nearly three months, and the software update will finally be released for all compatible iPhones soon. Apple should reveal iOS 18's exact release date during its September 9 event, with the most likely possibility being Monday, September 16. Below, we have highlighted eight key new features included in iOS 18. Note that Apple Intelligence is not coming...
apple watch series 9 display

'Noticeably Thinner' Apple Watch Series 10 to Eventually Get Sleep Apnea Detection

Friday September 6, 2024 4:42 am PDT by
The Apple Watch Series 10 will include a new sleep apnea detection feature, but it may not be available as soon as the new model launches, according to Bloomberg's Mark Gurman. Sleep apnea detection, which builds on the watch's existing sleep tracking, will attempt to determine if a wearer has sleep apnea and then suggest further testing with a medical professional. Gurman had expressed...
iPhone 16 Side 2 Feature

iPhone 16 Pro Rumored to Break This 7-Year Streak at Apple

Friday September 6, 2024 7:41 am PDT by
The upcoming iPhone 16 Pro might break a seven-year streak at Apple. Taiwanese research firm TrendForce today reported that the iPhone 16 Pro will start at $1,099 in the U.S. with 256GB of storage, whereas the iPhone 15 Pro starts at $999 with 128GB of storage. If this information is accurate, it means that the iPhone 16 Pro will cost more for customers who otherwise would have opted for a...

Top Rated Comments

VoR Avatar
148 months ago
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)
Score: 22 Votes (Like | Disagree)
shareef777 Avatar
148 months ago
I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Score: 18 Votes (Like | Disagree)
Peace Avatar
148 months ago
I'd put this one in the category of stupid-ware.
Score: 14 Votes (Like | Disagree)
nagromme Avatar
148 months ago
Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

Why is the cert for this not revoked already?
When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
Score: 11 Votes (Like | Disagree)
kidde Avatar
148 months ago
Why is the cert for this not revoked already?
Score: 11 Votes (Like | Disagree)
Tankmaze Avatar
148 months ago
well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
Score: 6 Votes (Like | Disagree)