According to the researcher – Brod - the malware starts by dropping a PDF file embedded in its body and then opens it in an attempt to prevent the user from noticing the ongoing suspicious activity.
The malware may, he says, be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a `pdf.exe' extension and an accompanying PDF icon. This Mac trojan, however, does not appear to have an icon.
However, he adds, there is another possibility, as on the Apple Mac the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon, he asserts, could have been lost when the sample was submitted to his research team.
“If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires”, he notes.
Once tripped, the trojan then proceeds to install a backdoor - Backdoor:OSX/Imuler.A - in the background, with a command-and-control server that is, at the time of writing, a bare Apache installation that is incapable of communicating with the malware yet.
“Since this malware sample was received from VirusTotal, we cannot exactly be sure about the method it uses to spread. The most probable way is sending via e-mail attachment. The author could be just testing the water to see if the sample is detected by different AV vendors”, he notes.