Malware

Yet Another FileSteal Variant Found Today

Posted on May 21st, 2013 by

As we predicted in our previous post on OSX/Filesteal, a new sample of FileSteal has been found. It was found on VirusTotal earlier today, though the sample seems to have been created in December of 2012. It is already detected by VirusBarrier as a OSX/FileSteal.A.

The server used by this variant is at:

  • liveapple.eu/MEny/upload.php

At the time of writing, the site was not responding.

It comes in a ZIP archive with the following file name:

  • Christmas_Card.app.zip (SHA256 - 07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce)

Christmas_Card.app

Inside the ZIP is an application with the following name:

  • FileBackup (SHA256 - e25bc53c1255507d17d7fa5cf79721d413f97250f6bf10df93f222f6a3073cf3)

This executable is signed with the same revoked developer certificate as the FileSteal.B variant, attributed to "Rajinder Kumar."

It's good to remember, this information is useful for what's called "indications of compromise." If you see a file that matches these descriptions, there is a good chance that it's not a beneficial file. However, this does not mean that any file that doesn't match these descriptions will be safe. It's not possible to list the places you should not go on the Internet, in order to be safe. There could be malvertisements or compromises that happen at any time, and you should always exercise caution, particularly when you're surfing the web or when you receive unexpected files via email.

Intego VirusBarrier users with up-to-date virus definitions will detect this trojan as OSX/FileSteal.A.

  • Jay

    Does this have the same functionality? (Create screenshots, put them in a folder and upload them), if so where is the folder stored?

    • LysaMyers

      Hi Jay – This variant does still have the same basic functionality as the other variants. This appears to be somewhere in the malware family’s evolution between FileSteal.A and .B, bearing more similarity to the former.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}