As we predicted in our previous post on OSX/Filesteal, a new sample of FileSteal has been found. It was found on VirusTotal earlier today, though the sample seems to have been created in December of 2012. It is already detected by VirusBarrier as a OSX/FileSteal.A.
The server used by this variant is at:
At the time of writing, the site was not responding.
It comes in a ZIP archive with the following file name:
- Christmas_Card.app.zip (SHA256 - 07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce)
Inside the ZIP is an application with the following name:
- FileBackup (SHA256 - e25bc53c1255507d17d7fa5cf79721d413f97250f6bf10df93f222f6a3073cf3)
This executable is signed with the same revoked developer certificate as the FileSteal.B variant, attributed to "Rajinder Kumar."
It's good to remember, this information is useful for what's called "indications of compromise." If you see a file that matches these descriptions, there is a good chance that it's not a beneficial file. However, this does not mean that any file that doesn't match these descriptions will be safe. It's not possible to list the places you should not go on the Internet, in order to be safe. There could be malvertisements or compromises that happen at any time, and you should always exercise caution, particularly when you're surfing the web or when you receive unexpected files via email.
Intego VirusBarrier users with up-to-date virus definitions will detect this trojan as OSX/FileSteal.A.