A new trojan specifically for Macs has been discovered that creates a backdoor on an affected user’s machine. This appears to be a targeted attack, though the method of delivery is not yet known (likely either sent by email or placed on a trusted site as part of a watering hole attack).
Mac security software company Intego, which first reported the malware, first found on VirusTotal, submitted by a user in Belarus. More details were not provided, but it’s safe to say users from all over the world can have their computers infected.
The trojan in question disguises itself as a picture. As you can see above, the .app file-extension is not visible by default and it is typically given a name that would be generated by a digital camera.
Here are some details of the threat from Intego:
- When executed, the Trojan copies itself to /Users/Shared/UserEvent.app.
- It also creates a LaunchAgent in ~/Library/LaunchAgents/UserEvent.System.plist to launch the application /Users/Shared/UserEvent.app.
- It hides itself from the Dock and Cmd-Tab Application switching. It then opens the JPEG image inside the Application bundle with the standard OS X application Preview, which fools the user into thinking that it’s just an image file.
- Once installed, it connects to the C&C server on port 7777.
- It installs a permanent backdoor that allows the attacker to send a variety of commands. It also phones homes with system information, pings to monitor the connection, and attempts to download the below image file to the machine.
Of course this isn’t proof enough that the Syrian Electronic Army, which has been responsible for a number of hacks as of late, is behind this trojan. It could very well be a sympathizer or someone looking to cover his or her tracks.
There is, however, some good news to report. First of all, the threat does not function on OS X 10.8: only earlier versions of the operating system are affected. In other words, you can protect your Mac by simply installing the latest operating system.
Furthermore, Intego notes that the Command and Control (C&C) server for this particular threat appears to be down and no longer sending commands to affected users. That being said, it’s not clear if it is down permanently or temporarily, and whether this is the end of the story or this was just a test for a broader attack.
Top Image Credit: Carlos Gustavo Curado