NEWS FROM THE LAB - Friday, September 23, 2011

Mac Trojan Posing as a PDF File Posted by ThreatSolutions @ 04:09 GMT

We may have come across a Mac malware in the making. Detected as Trojan-Dropper:OSX/Revir.A, the malware disguises as a PDF file to trick user into triggering its payload.

It starts by dropping a PDF file embedded in its body and opens it in an attempt to prevent the user from noticing the ongoing suspicious activity.

The content of the document is taken from an article that was circulating late last year, and contains Chinese-language text related to political issues, which some users may find offensive.

This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ".pdf.exe" extension and an accompanying PDF icon. The sample on our hands does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.

The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background. As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet. The domain was registered on March 21, 2011 and was last updated on May 21, 2011.

Since this malware sample was received from VirusTotal, we cannot exactly be sure about the method it uses to spread. The most probable way is sending via e-mail attachment. The author could be just testing the water to see if the sample is detected by different AV vendors.

Updated to add, MD5 hashes for the samples:

  •  Trojan-Dropper:OSX/Revir.A: fe4aefe0a416192a1a6916f8fc1ce484
  •  Trojan-Downloader:OSX/Revir.A: dfda0ddd62ac6089c6a35ed144ab528e
  •  Backdoor:OSX/Imuler.A: 22b1af87dc75a69804bcfe3f230d8c9d


Analysis by — Brod