OSX.Bella trojan discovered installing backdoors into Macs

By

15 inch MacBook Pro Silver
It might be time to update your passwords again.
Photo: Apple

Security researchers have discovered a nasty bit of Mac malware similar to OSX.Dok trojan, which can bypass Apple’s GateKeeper feature.

The new bug, dubbed OSX.Bella, behaves and distributes itself in a completely different manner than OSX.Dok. But once installed, it executes a script that’s just as damaging.


Discovered by Malwarebytes reseacher Adam Thomas, the new bug uses the same installation method of OSX.Dok by masquerading as a document. Once a machine is infected, the bug installs an open-source backdoor named Bella.

OSX.Bella Mac malware

This Mac malware variant also copies /Users/Shared/AppStore.app and displays an alert claiming the app is damaged. Instead of rendering your Mac unusable by displaying a full-screen app update that forces you to fork over your admin password, OSX.Bella simply closes and deletes itself after a minute or so.

While the malware doesn’t seem insidious from the outside, the Python script it runs behind the scenes possesses some frightening capabilities. Researchers found the Bella script can access iMessage transcripts, infiltrate Find My iPhone, phish passwords, capture data from your microphone and FaceTime camera, and capture screenshots.

OSX.Bella could prove crippling to businesses. The trojan can exfiltrate a large amount of sensitive company data, including passwords, code-signing certificates and hardware locations.

The good news is the code-signing certificate for OSX.Bella has already been revoked, so you can’t get infected by it now. Your Mac could have been infected in the past, though. If so, Malwarebytes recommends changing all your passwords.