{"id":21938,"date":"2014-01-20T14:58:15","date_gmt":"2014-01-20T22:58:15","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=21938"},"modified":"2016-10-07T12:19:36","modified_gmt":"2016-10-07T19:19:36","slug":"new-osx-crisis-variant-invokes-pope-francis","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/","title":{"rendered":"New OSX\/Crisis Variant Invokes Pope Francis"},"content":{"rendered":"<p>A new sample of <a title=\"New Apple Mac Trojan Called OSX\/Crisis Discovered\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team\/\" target=\"_blank\">OSX\/Crisis<\/a>, the too popular Da Vinci rootkit from Hacking Team, <a title=\"Antivirus scan for 5a88ed9597749338dc93fe2dbfdbe684\" href=\"https:\/\/www.virustotal.com\/en\/file\/a2e3f93fc91cc4f0f5b28605371d89a6c4bdb3a7e841097dc7615bc2aa43a779\/analysis\/\" target=\"_blank\">reached our Malware Lab<\/a>\u00a0during the weekend.\u00a0We currently do not have information about the origin of the file on VirusTotal, named &#8220;Frantisek,&#8221; but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis?<\/p>\n<p>Like the\u00a0<a title=\"New Apple Mac Trojan Called OSX\/Crisis Discovered\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team\/\" target=\"_blank\">previous<\/a>\u00a0<a title=\"New OSX\/Crisis or Business Cards Gone Wild\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-business-cards-gone-wild\/\" target=\"_blank\">variants<\/a>,\u00a0OSX\/Crisis.C is delivered through a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, Hacking Team has updated some of the dropper code and the backdoor configuration file format.<\/p>\n<p>The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program. For this reason, an incautious researcher using a debugger could get infected without even noticing it.\u00a0While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.<\/p>\n<p>Following is a screenshot of the resolved symbols hash of the dropper in\u00a0<a href=\"https:\/\/www.hex-rays.com\/products\/ida\/\" target=\"_blank\">IDA<\/a>:<\/p>\n<p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/crisis-c-hash-symbols\/\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-21960\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2014\/01\/crisis.c-hash-symbols.png\" alt=\"OSX\/Crisis.C - screenshot of the resolved symbols hash of the dropper in IDA\" width=\"489\" height=\"380\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2014\/01\/crisis.c-hash-symbols.png 489w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2014\/01\/crisis.c-hash-symbols-150x116.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2014\/01\/crisis.c-hash-symbols-300x233.png 300w\" sizes=\"(max-width: 489px) 100vw, 489px\" \/><\/a><\/p>\n<p>When the dropper runs successfully, it hides the following files in the user&#8217;s home directory (in the Library\/Preferences folder), inside a fake application bundle called\u00a0OvzD7xFr.app:<\/p>\n<ul>\n<li>1 backdoor: <a title=\"Antivirus scan for 4df3bce0bbc488119033dcfc0dc0a746\" href=\"https:\/\/www.virustotal.com\/en\/file\/890e3c5e057abd62ccbac73db75b2aba5de1e2a6d2eadada9dc770da4d57672b\/analysis\/1390242331\/\" target=\"_blank\"><em>8oTHYMCj.XIl<\/em><\/a> (32-bit)<\/li>\n<li>1 configuration file: <a title=\"Antivirus scan for aca104a944ae48847bb5b47431fd6012\" href=\"https:\/\/www.virustotal.com\/en\/file\/39f9901d9ef707d58d2bddea312871cdf964ba5872a74b2e1340db4799c8a2b2\/analysis\/1390242453\/\" target=\"_blank\"><em>ok20utla.3-B<\/em><\/a><\/li>\n<li>2 kernel extentions: <a title=\"Antivirus scan for 173daa0a7b020aaf044686df9430c1d6\" href=\"https:\/\/www.virustotal.com\/en\/file\/7fb5e5c464d8d6af28ab976afd4d86ef070741dd5e6716d37efd7bfcb6bf1aef\/analysis\/1390242784\/\" target=\"_blank\"><em>Lft2iRjk.7qa<\/em><\/a> (32-bit) and <a title=\"Antivirus scan for 3b00f4888cc8211aa7094a74ed198d06\" href=\"https:\/\/www.virustotal.com\/en\/file\/f940dcdcbc0093fc119f6d6e833f56464100f747861da475402557a3bc4f61ab\/analysis\/1390242959\/\" target=\"_blank\"><em>3ZPYmgGV.TOA<\/em><\/a> (64-bit)<\/li>\n<li>1 scripting addition: <a title=\"Antivirus scan for 209663d7067c2acad5ab0d010be37ed0\" href=\"https:\/\/www.virustotal.com\/en\/file\/2e19e30d0ba0cf8b5c8fc079b08b21c2038853b4b54fe9001814f8204e1281e2\/analysis\/\" target=\"_blank\"><em>EDr5dvW8.p_w<\/em><\/a> (FAT)<\/li>\n<li>1 <a title=\"XPC Interprocess Communication and Services\" href=\"https:\/\/developer.apple.com\/library\/mac\/documentation\/macosx\/conceptual\/osx_technology_overview\/SystemTechnology\/SystemTechnology.html\" target=\"_blank\">XPC service<\/a>: <a title=\"Antivirus scan for b2e05fb1c68bf4b4caa0523d3311290e\" href=\"https:\/\/www.virustotal.com\/en\/file\/b661d99e99cea1a0254d355549314f7e36fc359f5167344cd63e556773c5e014\/analysis\/1390243121\/\" target=\"_blank\"><em>GARteYof._Fk<\/em><\/a> (FAT)<\/li>\n<li>1 TIFF image, a System Preferences icon, ripped of <a title=\"Linkinus 2 - IRC for your Mac\" href=\"http:\/\/conceited.net\/products\/linkinus\" target=\"_blank\">Linkinus<\/a> preferences panel: <a title=\"Antivirus scan for 8c89f81d9ec8d9c018f162bb4ea2758f\" href=\"https:\/\/www.virustotal.com\/en\/file\/82dfff6a88fc519bb3e40186b725ed09105241ee9fa7a81de9e9fef323da69da\/analysis\/\" target=\"_blank\"><em>q45tyh<\/em><\/a><\/li>\n<\/ul>\n<p>Then it executes the backdoor and finishes the installation by creating a LaunchAgent file,\u00a0<a title=\"Antivirus scan for 143d763f2a0e44f8241805ac85d1e7e1\" href=\"https:\/\/www.virustotal.com\/en\/file\/1d76f819989a0e39a6a912b97cf3d4603b2574eaeff44acac94058ccc2cf2024\/analysis\/1390243989\/\" target=\"_blank\">com.apple.mdworker.plist<\/a>.<\/p>\n<p>Similar to\u00a0<a title=\"New OSX\/Crisis or Business Cards Gone Wild\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-business-cards-gone-wild\/\" target=\"_blank\">OSX\/Crisis.B<\/a>, this binary is obfuscated using MPress packer. It doesn&#8217;t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an &#8220;Image not found&#8221; exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).<\/p>\n<p>Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&amp;C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit.<\/p>\n<p>At the time of this writing, the overhaul detection rate on VirusTotal is very low.<\/p>\n<p>Intego <a title=\"Intego VirusBarrier\" href=\"https:\/\/www.intego.com\/virusbarrier\" target=\"_blank\">VirusBarrier<\/a> with up-to-date malware definitions protects Mac users against this malware, detected as <strong>OSX\/Crisis.C<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\u00a0during the weekend.\u00a0We currently do not have information about the origin of the file on VirusTotal, named &#8220;Frantisek,&#8221; but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis? Like the\u00a0previous\u00a0variants,\u00a0OSX\/Crisis.C is [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":8755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,5],"tags":[840,86,703,862,839],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\u00a0during the weekend.\u00a0We currently do not have\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New OSX\/Crisis Variant Invokes Pope Francis - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\u00a0during the weekend.\u00a0We currently do not have\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-01-20T22:58:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-10-07T19:19:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Arnaud Abbati\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png\",\"width\":\"400\",\"height\":\"260\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/\",\"name\":\"New OSX\/Crisis Variant Invokes Pope Francis - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#primaryimage\"},\"datePublished\":\"2014-01-20T22:58:15+00:00\",\"dateModified\":\"2016-10-07T19:19:36+00:00\",\"description\":\"A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\\u00a0during the weekend.\\u00a0We currently do not have\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New OSX\/Crisis Variant Invokes Pope Francis\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/cbc02d2ed3bdeeb64e8cf2737c231ce8\"},\"headline\":\"New OSX\/Crisis Variant Invokes Pope Francis\",\"datePublished\":\"2014-01-20T22:58:15+00:00\",\"dateModified\":\"2016-10-07T19:19:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#webpage\"},\"wordCount\":458,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png\",\"keywords\":[\"Hacking Team\",\"Malware\",\"OSX\/Crisis\",\"OSX\/Crisis.C\",\"RCS\"],\"articleSection\":[\"Malware\",\"Security News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/cbc02d2ed3bdeeb64e8cf2737c231ce8\",\"name\":\"Arnaud Abbati\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9ac67b13519d6788f0f6e2df392735a3?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9ac67b13519d6788f0f6e2df392735a3?s=96&d=mm&r=g\",\"caption\":\"Arnaud Abbati\"},\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/aabbati\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\u00a0during the weekend.\u00a0We currently do not have","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/","og_locale":"en_US","og_type":"article","og_title":"New OSX\/Crisis Variant Invokes Pope Francis - The Mac Security Blog","og_description":"A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\u00a0during the weekend.\u00a0We currently do not have","og_url":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/","og_site_name":"The Mac Security Blog","article_published_time":"2014-01-20T22:58:15+00:00","article_modified_time":"2016-10-07T19:19:36+00:00","og_image":[{"width":"400","height":"260","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Arnaud Abbati","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png","width":"400","height":"260"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/","name":"New OSX\/Crisis Variant Invokes Pope Francis - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#primaryimage"},"datePublished":"2014-01-20T22:58:15+00:00","dateModified":"2016-10-07T19:19:36+00:00","description":"A new sample of OSX\/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab\u00a0during the weekend.\u00a0We currently do not have","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"New OSX\/Crisis Variant Invokes Pope Francis"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/cbc02d2ed3bdeeb64e8cf2737c231ce8"},"headline":"New OSX\/Crisis Variant Invokes Pope Francis","datePublished":"2014-01-20T22:58:15+00:00","dateModified":"2016-10-07T19:19:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#webpage"},"wordCount":458,"commentCount":3,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png","keywords":["Hacking Team","Malware","OSX\/Crisis","OSX\/Crisis.C","RCS"],"articleSection":["Malware","Security News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/new-osx-crisis-variant-invokes-pope-francis\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/cbc02d2ed3bdeeb64e8cf2737c231ce8","name":"Arnaud Abbati","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/9ac67b13519d6788f0f6e2df392735a3?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9ac67b13519d6788f0f6e2df392735a3?s=96&d=mm&r=g","caption":"Arnaud Abbati"},"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/aabbati\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/12\/MalwareAlert.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-5HQ","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/21938"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=21938"}],"version-history":[{"count":67,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/21938\/revisions"}],"predecessor-version":[{"id":58186,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/21938\/revisions\/58186"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/8755"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=21938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=21938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=21938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}