A New Mac Malware has been spotted by F-Secure researchers which is capable of continuously taking screenshots and recording audio and uploading them to a remote server.
What's interesting about this mac malware is it abuses the Right-to-Left Override(RLO) character to hide it is real extension. However, the method is not new for Windows malware which is used by Bredolab and other trojans.
The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew.
The malware analyzed by F-Secure uses "Recent New.ppa.pdf" as file name for the malicious file. By just looking at the extension, we may think it is just a pdf file, but in reality you are opening an executable .APP file.
Because of the RLO character in the malicious file, the usual file quarantine notification from OS X will be backwards.
The actual notification is "RecentNews. Are you sure you want to open fdp " is an application downloaded it" from Internet."
Once it's launched, the malware displays a decoy document while it silently install malicious code in the victim's computer.
According to the F-Secure Malware report, the threat is written in Python and uses py2app for distribution and it is signed with apple Developer ID.
What's interesting about this mac malware is it abuses the Right-to-Left Override(RLO) character to hide it is real extension. However, the method is not new for Windows malware which is used by Bredolab and other trojans.
The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew.
The malware analyzed by F-Secure uses "Recent New.ppa.pdf" as file name for the malicious file. By just looking at the extension, we may think it is just a pdf file, but in reality you are opening an executable .APP file.
Because of the RLO character in the malicious file, the usual file quarantine notification from OS X will be backwards.
 |
| file quarantine notification -Image Credits: F-Secure |
The actual notification is "RecentNews. Are you sure you want to open fdp " is an application downloaded it" from Internet."
Once it's launched, the malware displays a decoy document while it silently install malicious code in the victim's computer.
According to the F-Secure Malware report, the threat is written in Python and uses py2app for distribution and it is signed with apple Developer ID.
