A piece of digitally signed spyware for Mac OS X has reared its head. Dubbed janicab.A, it uses a special Unicode character in its file name to disguise malicious installations as standard files, and fool users into installing them.
Researchers from F-Secure reported that the malware is written in Python and packaged as a standalone Mac application using the py2app utility.
The malware is distributed as a file called RecentNews.?fdp.app, and in this case, the '?' is the right-to-left override (RLO) character known as U+202E in the Unicode encoding standard. A RLO character instructs software to display text from right to left.
According to Macworld, Unicode supports characters from most languages, including languages written from right to left such as Hebrew and Arabic. For security reasons, Apple shows double extensions in its Mac OS X file manager. In this case, the RLO trick is being employed to obfuscate this, and make the .app appear to be a .pdf instead.
The ploy is not a new one, and has been used by Windows malware before, including in the notorious Armenian BredoLab Botnet, which sent viral e-mail spam, and was estimated to have infected 30 million computers around the world.
It was also previously employed by the Mahdi cyber espionage Trojan, a cyber spy network that targeted Iran and other countries in the region.
Opening the malware triggers a standard Mac OS X pop-up dialogue warning the user that the file was downloaded from the Internet, although the RLO character in the file name shows the warning written right to left, making it tricky to read. Once opened, janicab.A installs itself in a hidden file in the home directory, and opens a .pdf document that presents itself as a Russian news article.
The malware sits on the infected machine, taking screenshots, recording audio and uploading the information to command and control (C&C) servers that it finds by parsing the description of specific YouTube videos. In addition, it queries the C&C servers for commands to execute.
F-Secure researchers are of the opinion that janicab.A is being employed for targeted attacks, although the identity of the targets is not known.
Share