The RLO move, F-Secure explained in a blog, is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and Mahdi to hide the real extension of executable files by reversing it from the usual string. That way, instead of showing up with an .exe extension, they have .doc or .txt. In other words, they don’t look like obviously malicious files to security software.
The objective of the RLO trick in this case is “simply to hide the real extension”, F-Secure noted. “The malware could have just used ‘Recent New.pdf.app.’ However, OS X has already considered this and displays the real extension as a precaution.” The RLO trick subverts this so that the usual file quarantine notification from OS X will be backwards to avoid detection.
Interestingly, the new malware, a Python variant, is signed with an Apple Developer ID. The malware then continuously takes screen shots and records audio (using a third-party software called SoX), and uploads its booty to the command-and-control server. It also continuously polls the command-and-control server for commands to execute.
Usually spread via spearphishing and spam campaigns, if a user clicks on the supposedly innocuous file, it drops and opens a decoy document on execution to keep up appearances. That actually masks the creation of a hidden folder in the home directory of the infected user to store its components.
Once Apple revokes the ID, the Mac Gatekeeper will flag these “documents” as a potentially problematic program, but in the meantime users should as always take precautions when downloading documents from unknown sources.
The threat can be extensive: take the Mahdi malware, uncovered by Israeli security firm Seculert working with Kaspersky in 2012, which targets organizations in the Middle East with a spearphishing campaign that spread a malware-laden Word document attachment. Once the malware is downloaded, Mahdi disguises the communication between the malware and the command-and-control server, delivering updates and data-stealing modules that target critical infrastructure engineering firms, government agencies, financial houses and academia. Over the course of several months last year, it spread to thousands of victims in the region.