Skip to main content

New Mac Trojan ‘OS/X Crisis’ discovered

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Mac security firm Intego has discovered a new Mac OS X Trojan, OS/X Crisis. The malware installs itself without user intervention and hides well if installed as root, but it has not yet been discovered on Mac users’ computers.

The threat is only in the last two versions of Mac OS X: Snow Leopard and Lion.

Intego describes OS/X Crisis as a Trojan dropper, which is a class of malware that is disguised as a game, screen saver, or a music file. It installs itself without users even being aware and then attempts to cover its tracks and mask its existence.

“It makes a lot of effort to hide itself, which is not very common in Mac Trojans,” Lysa Myers, a security researcher with Intego, told VentureBeat. “[That effort] is much more common in Windows Trojans.”

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Most of the files that the Trojan creates are randomly named in order to avoid easy detection and removal, but a number of names appear consistently, and users can search for them to check if they are infected.

If you’re a bit more of a suspicious person, however, and don’t run your system as root or admin, only this file will be present:

  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five minutes, presumably to await instructions. That IP address may change over time, as malware authors often build in features resistant to simple blocking.

One question you might be asking: If it’s not “in the wild” yet, how did Intego find it?

I asked Myers that question, and she said that, as security researchers, Intego personnel spend a lot of time in the dark, nasty recesses of the web. In addition, malware writers often upload their wares to forums and security sites to test if their software is detectable by security software.

Image credit: MG1408/ShutterStock

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.