Security researchers have discovered a nasty bit of Mac malware similar to OSX.Dok trojan, which can bypass Apple’s GateKeeper feature.
The new bug, dubbed OSX.Bella, behaves and distributes itself in a completely different manner than OSX.Dok. But once installed, it executes a script that’s just as damaging.
Discovered by Malwarebytes reseacher Adam Thomas, the new bug uses the same installation method of OSX.Dok by masquerading as a document. Once a machine is infected, the bug installs an open-source backdoor named Bella.
OSX.Bella Mac malware
This Mac malware variant also copies /Users/Shared/AppStore.app and displays an alert claiming the app is damaged. Instead of rendering your Mac unusable by displaying a full-screen app update that forces you to fork over your admin password, OSX.Bella simply closes and deletes itself after a minute or so.
While the malware doesn’t seem insidious from the outside, the Python script it runs behind the scenes possesses some frightening capabilities. Researchers found the Bella script can access iMessage transcripts, infiltrate Find My iPhone, phish passwords, capture data from your microphone and FaceTime camera, and capture screenshots.
OSX.Bella could prove crippling to businesses. The trojan can exfiltrate a large amount of sensitive company data, including passwords, code-signing certificates and hardware locations.
The good news is the code-signing certificate for OSX.Bella has already been revoked, so you can’t get infected by it now. Your Mac could have been infected in the past, though. If so, Malwarebytes recommends changing all your passwords.
Buster Hein is a freelance writer who lives in Phoenix, Arizona. Twitter: @bst3r.
5 responses to “OSX.Bella trojan discovered installing backdoors into Macs”
That’s it? “Change all your passwords” is the solution? I have at least 300 passwords to various sites and accounts and this would take me at least a week to track everything down–and I don’t even know how to check if I’m infected. How about answering these questions:
1. How is the trojan spread?
2. What type of document(s) should we be wary of?
3. Is there a method to determine if our computers have been affected?
4. Is anyone working on a fix for this? How about Apple? Did you bother to check?
5. How widespread is the trojan?
6. Is there a way to prevent the installation or be on guard for it?
Buster: Your article equates to “There’s something really scary going around and it could be very bad for you. Good luck.” It appears you copied someone else’s report and then distributed it as FUD.
It’s another typical Mac malware that can only be functional if you open a dodgy email, save a dodgy zip file to your disk, unarchive that dodgy zip file, launch a dodgy executable, discard all warnings GateKeeper thrown at you, and manually type your administration password when that application pops up a dodgy dialog box.
It can “bypass GateKeeper” simply because it’s signed with certificate from a valid developer. It’s not clear whether he/she should be responsible for all this mess, or someone else had stolen the identity. All Apple need to do to stop this malware is to revoke that certificate from the remote server, and Apple had already did that.
In other words, clickbait.
Thanks Richard. This gives me some information I can think with. Buster’s article is just bad sensationalist writing, and not at all helpful. Suggesting that everyone should simply change all their passwords is ridiculous and irresponsible without doing some kind of research to find out what the vector is that would allow the infection in the first place.
I get “dodgy” emails all the time from companies purporting to be my bank, Apple and other entities I deal with. I see “click this link to log into your account” emails all the time and simply trash them. I’ll continue to be on my guard as usual, but it appears that this is just more of the same old crap. I also assume that Apple will issue an OS update shortly to address the situation.
There is no need for OS update since there is nothing “breached”. Everything that OSX.Dok or OSX.Bella had done is restricted but “legal” operation. It doesn’t take any security exploits nor there is any bug within the system. You can do exactly the same thing by manually type in commands in Terminal, given that you’ve administrator privilege and knowledge.
All Apple need to do is revoke the certificate used to sign these malware, and it can be simply done by adding that certificate in the blacklist on Apple’s own server. Every internet-connected Macs will automatically update certificate status whenever GateKeeper is invoked, thus prevent the malware from launching. It’s how the modern certificate system works.
The author suggests to change password because it’s already known that OSX.Dok will intercept network communications of victim computers, via a casual network administration tool called “socat”. If, by any chance, you submitted username/password via a non-secured channel (which is very unlikely to happen today) on the infected machine, your password could have been logged.
Thanks for the additional information.