Security researchers have identified multiple samples of the recently discovered “KitM” spyware for Mac OS X, including one dating back to December 2012 and targeting German-speaking users.
KitM (Kumar in the Mac), also known as HackBack, is a backdoor-type program that takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server. It also opens a reverse shell that allows attackers to execute commands on the infected computers.
The malware was initially discovered last week on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, a human rights conference in Norway, by security researcher and privacy activist Jacob Appelbaum.
The most interesting aspect of KitM is that it was signed with a valid Apple Developer ID, a code-signing certificate, issued by Apple to someone named “Rajinder Kumar.” Applications signed with a valid Apple Developer ID bypass the Gatekeeper security feature in Mac OS X Mountain Lion, which verifies the origin of files to determine whether they pose any risks to the system.