Mac Malware Hides File Extension

Tuesday, July 16, 2013 @ 03:07 PM gHale

While out of the attack malware piece for quite awhile, there is now a piece of malicious software targeting Mac devices.

An interesting aspect to Backdoor:Python/Janicab.A is the file that hides the malware uses the right-to-left override (RLO) character to mask its extension, said researchers at F-Secure.

RELATED STORIES
Win 8 CAPTCHA Malware
Trojan Speaks Local Languages
Trojan Takes Over Google Docs
Trojan Uses Fake Adobe Certificate

The Unicode RLO character supports languages written right to left, such as Hebrew or Arabic. However, malware developers have been abusing it to mask the extensions of malicious files.

In the case of the Mac malware analyzed by F-Secure, the malicious file has the .app extension (RecentNews.fdp.app). However, because the RLO trick is in play, the Unicode character ends up placed before the “f,” the file becomes RecentNews.ppa.pdf.

Once launched, the malware drops a decoy document. In the meantime, it creates a cron job for its launch point, and a hidden folder where it stores its components.

The malware gets its command server’s address from YouTube videos and other websites.

Its main goal is to take screenshots and record audio by using a third-party application called SoX.

Janicab.A’s code in Python, it uses py2app for distribution, and it ended up signed with an Apple Developer ID.