Share

Top 5 Stories

News

Mac Spyware Hides File Extensions to Evade Detection

15 July 2013

A new cyber-espionage malware targeting the Mac operating system has been spotted, dubbed Janicab. It uses a right-to-left override (RLO) trick to evade detection, which is a tactic familiar on the PC side from the high-profile Mahdi trojan from last year.

The RLO move, F-Secure explained in a blog, is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and Mahdi to hide the real extension of executable files by reversing it from the usual string. That way, instead of showing up with an .exe extension, they have .doc or .txt. In other words, they don’t look like obviously malicious files to security software.

The objective of the RLO trick in this case is “simply to hide the real extension”, F-Secure noted. “The malware could have just used ‘Recent New.pdf.app.’ However, OS X has already considered this and displays the real extension as a precaution.” The RLO trick subverts this so that the usual file quarantine notification from OS X will be backwards to avoid detection.

Interestingly, the new malware, a Python variant, is signed with an Apple Developer ID. The malware then continuously takes screen shots and records audio (using a third-party software called SoX), and uploads its booty to the command-and-control server. It also continuously polls the command-and-control server for commands to execute.

Usually spread via spearphishing and spam campaigns, if a user clicks on the supposedly innocuous file, it drops and opens a decoy document on execution to keep up appearances. That actually masks the creation of a hidden folder in the home directory of the infected user to store its components.

Once Apple revokes the ID, the Mac Gatekeeper will flag these “documents” as a potentially problematic program, but in the meantime users should as always take precautions when downloading documents from unknown sources.

The threat can be extensive: take the Mahdi malware, uncovered by Israeli security firm Seculert working with Kaspersky in 2012, which targets organizations in the Middle East with a spearphishing campaign that spread a malware-laden Word document attachment. Once the malware is downloaded, Mahdi disguises the communication between the malware and the command-and-control server, delivering updates and data-stealing modules that target critical infrastructure engineering firms, government agencies, financial houses and academia. Over the course of several months last year, it spread to thousands of victims in the region.

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×