The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

Our Mac analyst (Brod) is currently investigating the sample.

It's signed with an Apple Developer ID.



The launch point:



It dumps screenshots into a folder called MacApp:



Functions:



There are two C&C servers related to this sample:


securitytable.org


docsforum.info

One C&C doesn't currently resolve, and the other:


Forbidden

Our detection is called: Backdoor:OSX/KitM.A. (SHA1: 4395a2da164e09721700815ea3f816cddb9d676e)