NEWS FROM THE LAB - Monday, July 15, 2013

Signed Mac Malware Using Right-to-Left Override Trick Posted by Brod @ 10:48 GMT

Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left. It is commonly used by Windows malware such as Bredolab and the high-profile Mahdi trojan from last year to hide the real extension of executable files. Check out this Krebs on Security post for more details on the trick.

We've spotted a malware for Mac using the RLO trick. It was submitted to VirusTotal last Friday.

RLO character

The objective here is not as convoluted as the one described in Kreb's post. Here it's simply to hide the real extension. The malware could have just used "Recent New.pdf.app". However OS X has already considered this and displays the real extension as a precaution.

RLO trick in Finder
RLO trick in Terminal

The malware is written in Python and it uses py2app for distribution. Just like Hackback, it's signed with an Apple Developer ID.

Apple Developer ID

However, because of the RLO character, the usual file quarantine notification from OS X will be backwards just like the Krebs case.

OS X file quarantine notification

The malware drops and open a decoy document on execution.

Decoy document

Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.

Launch point and drop files

The malware connects to the following pages to obtain the address of its command and control server:

  •  https://www.youtube.com/watch?v=DZZ3tTTBiTs
  •  https://www.youtube.com/watch?v=ky4M9kxUM7Y
  •  http://hjdullink.nl/images/re.php

It parses for the address in the string "just something i made up for fun, check out my website at (address) bye bye".

The YouTube page look like this:

YouTube page

Doing a Google search for the string reveals that there are other sites being abused besides those mentioned above.

Google search

The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.

The malware is detected by F-Secure as Backdoor:Python/Janicab.A.

Updated to add:

Here are the stats from one of the YouTube videos being used as a C&C locater:



The videos predate the Janicab.A binary by at least a month. Based on the stats, it seems likely there are earlier variants in the wild.