Mac Malware Janicab Conceals File-Extension Using RLO
Security researchers at F-Secure recently stumbled on a malicious program called Backdoor:Python/Janicab.A that attacks Mac-computers. Interestingly, the malware involves one file, which conceals it and utilizes RLO (right-to-left override) that helps disguise its own extension. The trick gained popularity amongst Windows malware namely the Mahdi and Bredolab Trojans.
Normally users of the singly coded RLO technique utilize it while beginning writing on the right and ending on the left, like in Arabic or Hebrew languages. But, creators of malicious software have been misusing the character for disguising malicious file extensions.
Take for instance Backdoor:Python/Janicab.A; its malevolent file's extension is [dot]app such as in RecentNews.fdp.app. Nevertheless, since RLO technique has been employed, cyber-crooks have placed the Unicode feature in front of the "f," as a result, the file reads like RecentNews.ppa.pdf.
The security company F-Secure explains that the malicious program captures screenshots as also intercepts audio prior to loading data-files onto certain command-and-control (C&C) system. Moreover, it as well contacts the command-and-control server to take instructions.
F-Secure's Laboratory Analyst Broderick Aquilino elaborated that the malware's developers used the Python computer-language to write their code as also distributed the same utilizing py2app, reported securityweek.com dated July 15, 2013.
Commonly disseminated through spam or spear-phishing attacks, the allegedly harmless file, if clicked and executed, plants as well as executes a decoy file for constantly maintaining appearances. That in reality disguises when a concealed file is created within the infected end-user's home-folder for storing its elements.
Fascinatingly, the malicious program acquires the signature of Apple's Developer ID. Incase Mac creator Apple withdraws this ID; the documents will get labeled 'potentially difficult software' thanks to Mac Gatekeeper.
There's likely to be extensive dissemination of the threat; for example Mahdi that Seculert the Israel-situated security company in collaboration with Kasperksy, during 2012, uncovered and found targeting Middle East organizations through one spear-phishing scam, which disseminated a malicious Word file via an e-mail attachment. Mahdi camouflages its communications with its C&C system, transmitting data-stealing software and updates, which aim at government agencies, vital infrastructure engineering companies, academia and financial institutions. In 2012, for several months, Mahdi became widespread among innumerable victims within ME.
» SPAMfighter News - 24-07-2013