Iranians are suspected in the latest malware attack against the defense industry. A bogus website for United Technologies Corporation offers software updates for either the DOS or MAC operating systems. While the attempt is not as sophisticated as most, it poses a threat.
iKittens describes the curious malware this way: “MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.” The report notes that the malware contains functions that do not work. It appears to be a first attempt at a broader goal.
The appearance on the spoof United Technologies site mentions employees of other defense contractors, such as “Lockheed Martin, Sierra Nevada Corporation, Raytheon and Boeing.”
With this particular build of MacDownloader, a fake Adobe Flash Player dialog is displayed upon execution, prompting the victim to click on an “Update Flash-Player” button. Interestingly, clicking on the “Close” button does in fact make the application exit. After the victim would have successfully clicked on the Update button, … fake dialog is displayed, announcing that adware was discovered on the computer and that the application was in the process of cleaning it up.
It is important to note that the malware is not being detected by current versions of protective software. Taking a cue from Google and others, Apple started a bug bounty program last year, offering rewards to those who find weaknesses in the various Mac operating systems.
Appleinsider reports that this attack has also affected at least one nonprofit engaged in human rights activities in Iran. The researchers on iKittens note their belief that the defense community and the human rights community use Macs in greater numbers.
While not definitive, the research demonstrates items within the code that suggest Persian grammar. In addition, other items refer to previously identified Iranian individuals, groups and companies suspected to be connected to the Iranian security apparatus. Iran is known to be active in defacing websites operated by regime opponents, and other malware and exploits of various types have been traced to the country in the past.