A new threat has been discovered on VirusTotal which affects OS X, acting as spyware on affected systems. It uses an old trick that reverses the direction of text in order to hide its true file-extension and appear as a PDF file rather than an APP file. Like the recent FileSteal.B, the file is signed with an Apple ID so that it can bypass the middle level of Gatekeeper security.
The trick the malware uses to hide its true extension relies on a special character that’s designed to assist with transmitting information, regardless of what language is being used. Specifically, whether the language is read from right-to-left or left-to-right. This feature does cause some very strange behavior in various programs, as it may not be handled properly in all cases.
For instance, while the right-to-left override could trick a user in the Downloads folder, it won't do so in the Desktop folder. Amazingly, the right-to-left override also alters the Quarantine warning dialog, such that the text is reversed.
If the user accepts this very strange-looking quarantine warning, it runs a Python script that performs the following actions:
- It opens the "dummy" PDF file to show a Russian PDF with news extracted from a website.
- It creates an invisible folder named ".t" in current user home folder
- It copies files from the application to this new folder
- It appends a job to the current user crontab to execute the copied files every minute.
Usually, droppers would self-destruct, but this one does not. It remains after being executed.
Intego will have a more thorough analysis of this malware soon. Until then, Intego VirusBarrier with up-to-date virus definitions will protect Mac users against this threat, detecting it as OSX/Janicab.A. This is considered to be a low-risk threat at this time as it's not known to be affecting users, and its strange appearance would likely dissuade people from bypassing quarantine to let it run. This appears to be only one variant of many, so this may not be the last time we see this malware family.