The researchers at F-Secure have blogged today about an interesting new sample of Mac malware, that they have dubbed “Backdoor:Python/Janicab.A”.
The malware is interesting for a couple of reasons:
Firstly, it has been signed with an Apple Developer ID.
Secondly, it takes advantage of the sneaky Unicode U+220E marker to do a right-to-left override of part of the malware’s filename.
What’s that? You don’t know about U+220E?
Consider this sentence:
"Graham Cluley Security News"
Now, here is how it would look if a Unicode U+220E marker was sneakily inserted invisibly just before the capital “S” of “Security”:
"Graham Cluley Security News"
Try copy-and-pasting the text above if you want to witness the weirdness for yourself.
As F-Secure explains, Janicab – which is written in Python – takes advantage of the right-to-left (RTL) U+220E Unicode character to mask the malicious file’s true extension.
In this way, a file apparently called RecentNews.ppa.pdf is really RecentNews.fdp.app
You may think you are opening a .PDF file, but in reality it’s an executable .APP. To maintain the subterfuge, the malware displays a decoy document while the malware silently installs unauthorised code onto your computer.
Bidirectional text spoofing like this has been known about for some time, but may still be a surprise to many computer users.
The final point of interest about Janicab is, of course, why was it written?
What we know is that Janicab can grab screenshots and record audio via your computer, without you realising, using the third-party command line utility Sox.
It seems plausible, therefore, to believe that Janicab was created to spy on others – something that has become increasingly common with malware in recent years.
According to VirusTotal, detection by most anti-virus products may not be in place yet. However, F-Secure says that it detects the malware as Backdoor:Python/Janicab.A and Trend Micro and Sophos appear to detect it as TROJ_GEN.F47V0712 and Mal/BredZpRTL-A respectively.
You can read more about the malware in F-Secure’s blog.
a similar use of the RTL unicode char was used to get malware hosted on Google Drive in April.
http://techhelplist.com/index.php/spam-list/549-swift-transfer-confirmation-google-docs-malware