Intego found two samples of the new version, designated as Imuler.C, on the VirusTotal website, which is used by security companies to share malware samples. In both samples, an application was included with an icon making it look like an image.
Intego explained that the technique “takes advantage of a default setting in the Mac OS X Finder, whereby file extensions are not displayed. Users double-clicking on the application launch the malware, which quickly deletes itself, replacing the original application with a real JPEG image corresponding to the one that was an application, and displays this image in the user’s default image viewer. There is no visible trace of the application after this point.”
The malware then installs a backdoor on the machine. “This malware searches for user data, and attempts to upload it to a server. It also takes screenshots and sends them to the server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. We have seen that this malware is active, as it connects to a remote server and downloads new executables”, Intego related.
Intego recommends that Mac users display file extensions in the Finder’s Advanced preferences and that they not open an application that has an icon of a photo.