Mac malware spies on infected users through video and audio capture

Computer spying. Image from ShutterstockAfter further analysis, more information has emerged about the Morcut Mac OS X malware (also known as “Crisis” by some anti-virus products) which was discovered this week.

Clearly OSX/Morcut-A was created with spying in mind, as its code includes hooks to control/monitor the following operations:

  • mouse coordinates
  • instant messengers (for instance, Skype [including call data], Adium and MSN Messenger)
  • location
  • internal webcam
  • clipboard contents
  • key presses
  • running applications
  • web URLs
  • screenshots
  • internal microphone
  • calendar data & alerts
  • device information
  • address book contents

In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts.

Fortunately, we haven’t seen Morcut in the wild. At the moment the threat is low. However, the complexity of the malware is yet another indication that malware on the Mac is becoming more serious – and designed to make money at your expense.

Sign up to our free newsletter.
Security news, advice, and tips.

If you haven’t already done so, you really should run anti-virus software on your Mac. The software in the Mac App Store is (unfortunately) not up to the job, as it doesn’t include the real-time component essential to scan every file (and thus every potential threat) as it is opened.

Fortunately, if you are a home user, there is award-winning free anti-virus software for your Mac available. And yes, it works on Mountain Lion too. :)

By the way, if you’re curious about where the name “Crisis” came from, it’s a name which appears inside the malware’s code.

As far as we can tell, the author appears to have wanted his malware to be called “Crisis”.

However, there is some history and tradition in the computer security industry of not stroking the malware creator’s ego and deliberately ignoring their suggestion as to how their Trojan horse or virus should be named.

We’re delighted not to call the malware “Crisis”, but OSX/Morcut instead.

Webcam spying image from Shutterstock.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.