According to Intego, the OSX/Leverage.A bug was found on VirusTotal, sent by a user in Belarus. The trojan itself is an application that is disguised as a picture; the .app file-extension is not visible by default. That JPEG is a banner for the SEA, the group responsible for a range of high-profile media hacks, website defacings and Twitter hijackings. So far the SEA has not been implicated in spreading malware – the group, which backs Syrian President Bashar al-Assad’s regime, is known for brand messaging, mainly: posting pro-Assad and anti-Obama messages on websites and in hijacked social media feeds.
Regardless, this seemingly pro-SEA trojan installs a permanent backdoor that allows the attacker to send a variety of commands. “In testing, we observed the [Command and Control (C&C) server] receiving a variety of system information about the affected machine, sending pings to monitor the connection, and trying to download the following image file to the machine, among other commands,” explained Intego researcher Lysa Myers, in a blog.
The Mac trojan hides itself from the Dock and Cmd-Tab Application switching. It then opens the JPEG image inside the application bundle with the standard OS X application preview, which fools the user into thinking that it was just an image file.
Once it’s installed, the trojan connects to the C&C server on port 7777.
But for now, it’s unclear how it is sent to affected users. “The malware could likely be sent by email or placed on a website as part of a watering hole attack, for instance,” Myers noted. “Depending on how the file is received, the behavior of the file in OS X may be slightly different.”
In some cases, there will only be an alert from the Mac Gatekeeper, if the user clicks on the application and it came from a download with a quarantine bit set.
There are several ways of downloading a file that would set the quarantine bit; for example, apps downloaded from the browser or an email client. Apps from other sources, such as file servers, external drives, or optical discs will not set the quarantine bit, unless the apps were originally downloaded from the internet and had the quarantine bit set at that time.
There is, however, some good news to report. At the time of writing, the C&C server is down and no longer sending commands to affected users. And, the trojan doesn’t affect OS X 10.8 users, meaning that a simple upgrade can keep users protected.
“While this is known to be affecting users, this is considered to be a low-risk threat at this time, as it appears to be a targeted attack,” Myers said. “This rating may be changed as more information comes to light. If possible, it’s advised that users keep all their software, particularly operating system, browsers and browser plugins (such as Flash and Java if applicable) up to date as exploits are common ways for such attacks to spread.”