[FSec] Signed Mac Malware Using Right-to-Left Override Trick

Newsfeed

Nachrichtenbote
Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and the high-profile Mahdi trojan from last year to hide the real extension of executable files. Check out this Krebs on Security post for more details on the trick.

We've spotted a malware for Mac using the RLO trick. It was submitted to VirusTotal last Friday.

janicab_1.png


The objective here is not as convoluted as the one described in Kreb's post. Here it's simply to hide the real extension. The malware could have just used "Recent New.pdf.app". However OS X has already considered this and displays the real extension as a precaution.

janicab_2a.png

janicab_2b.png


The malware is written in Python and it uses py2app for distribution. Just like Hackback, it's signed with an Apple Developer ID.

janicab_3.png


However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.

janicab_4.png


The malware drops and open a decoy document on execution.

janicab_5.png


Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.

janicab_6.png


The malware connects to the following pages to obtain the address of its command and control server:

• http://www.youtube.com/watch?v=DZZ3tTTBiTs
• http://www.youtube.com/watch?v=ky4M9kxUM7Y
• http://hjdullink.nl/images/re.php

It parses for the address in the string "just something i made up for fun, check out my website at (address) bye bye".

The YouTube page look like this:

janicab_7.png


Doing a Google search for the string reveals that there are other sites being abused besides those mentioned above.

janicab_8.png


The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.

The malware is detected by F-Secure as Backdoor:Python/Janicab.A.
On 15/07/13 At 10:48 AM

Weiterlesen...
 
Zurück
Oben