Photo of kissing TV couple leads to new Mac malware attack, with a Syrian twist

Graham Cluley
Graham Cluley
@[email protected]

LeverageResearchers at Intego have reported the discover of a new malware attack, designed to infect Mac computers and open a backdoor for hackers.

Intego says that the malware, which they have named OSX/Leverage.A, was submitted to the VirusTotal online malware-scanning service by a user in Belarus, and does not constitute a major threat to most Mac users. However, it is speculated, the attack could have been used in limited targeted attacks.

There are some things about the Leverage Mac Trojan horse which make it more interesting than the norm.

Firstly, it uses a crafty piece of social engineering to dupe victims into activating its code.

Sign up to our free newsletter.
Security news, advice, and tips.

The malware pretends to be a digital photograph of a man and woman kissing

The Trojan application is disguised as a digital photograph of a man and a woman kissing. Because Mac OS X does not show file extensions by default (something you should change in both Mac OS X and Windows to avoid precisely this kind of trick!), victims may not realise that they are not viewing an image but running a program instead.

And don’t think that checking your OS X dock or switching between apps using Cmd-Tab will reveal that a program is being run. The Trojan deliberately hides itself from appearing in those places.

As a final act of subterfuge, the Trojan opens a real JPEG image from within the Application bundle, tricking the victim into thinking that it really *was* just an image file after all…

Intego researcher Lysa Myers says it is unclear how the malware is currently being spread:

At this time, we are unaware how it is sent to affected users. The malware could likely be sent by email or placed on a website as part of a watering hole attack, for instance. Depending on how the file is received, the behavior of the file in OS X may be slightly different.

In some cases, there will only be an alert from Gatekeeper if the user clicks on the application if it came from a download with a quarantine bit set. There are several ways of downloading a file that would set the quarantine bit; for example, apps downloaded from the browser or an email client. Apps from other sources, such as file servers, external drives, or optical discs will not set the quarantine bit, unless the apps were originally downloaded from the Internet and had the quarantine bit set at that time.

Once installed, the Trojan horse attempts to communciate with a command and control server on port 7777. Intego reports that the C&C server is currently down and no longer sending commands to infected computers.

However, in testing researchers found it downloading an image of the notorious Syrian Electronic Army hacking group.

Syrian Electronic Army image

So, does this mean the Leverage OS X Trojan was written by the Syrian Electronic Army?

Of course not. Anyone can write a piece of malware which contains images associated with the Syrian Electronic Army, Anonymous or the Battersea Dog’s Home.

Furthermore, the Syrian Electronic Army has made a name for itself by fairly rudimentary phishing attacks on media organisations, embarrassing them by posting tweets supporting the current regime in Syria.

Sophie and Nate kissThe only reason I can imagine that someone else would want to embed such an image in their Mac malware is if they wanted to show their support for the hacking group, or simply wanted to throw cybercrime investigators off the scent of the true creators of this malware.

As always, Mac users should remember to protect their computers with up-to-date anti-virus software, and keep your system updated with the latest OS and application security patches.

Oh, and who are the two people kissing in the picture? A quick Google image search answered that question.

It’s Sophie Devereaux and Nate Ford, two characters from the American TV show “Leverage”.

I wonder if the malware authors are fans?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Photo of kissing TV couple leads to new Mac malware attack, with a Syrian twist”

  1. Richard Steven Hack

    I'm a huge Leverage fan so I recognized that pic almost immediately even though it's not a particularly good pic. It IS however the first one that Google Image search displays if you search for "Leverage Sophie Nate Kissing".

    There aren't a lot of pics of them smooching because they didn't do it until the finale of season two. And they didn't too much later either.

    Here's the scene on Youtube:

    1. Thanks. I've never seen the show, although I recognise the actress's voice. She's been in a fair number of British TV shows.

  2. Walt French

    Last I looked, Mac users have to EXPLICITLY permit downloaded software to run. Are you claiming that this Trojan specifically bypasses the requirement for a user to answer the "running software downloaded from the internet" check?

    Because if you are, it's a much bigger story than you're making it out to be. Macs are normally well-defended against this type of foolishness.

    And if you're not—if this Trojan triggers the normal Mac defenses that would give anybody with half a brain, a clear signal that it's malware—why, you have the world's least relevant story about a lame attempt to compromise computers.

    So, let's tell the full story, not just the woulda, coulda version of how it's possible for people to intentionally put programs onto their computer, if they abandon all common sense.

    1. Graham CluleyGraham Cluley · in reply to Walt French

      Thanks for your comment

      As Intego's blog post explains, there are scenarios through which the code could end up on your Mac such that the download check wouldn't trigger.

      The fact is, we don't know precisely how this code was transmitted. And any road, with the right social engineering users can be duped into ignoring security warnings etc.

    2. Cody · in reply to Walt French

      And that means exactly nothing. Just because you have to give permission does not mean it cannot happen easily (see also below, last paragraph, with an example, where I get to the real risk here). He even wrote that it doesn't seem too widespread which would indicate this. But keep in mind that there's always more attack vectors than you might think originally (again, see last paragraph).

      The full story is he gave the fully story. Here's another thought for you: in Unix (and therefore SunOS/Solaris, BSD, oh hey – MacOS X is partly based on a Unix, different Linux distributions, others) you have privilege separation. For instance, to write to system directories you need to be either root or the user the process changes to (e.g., apache might run as apache, via the setuid system call, which if a file is given write access to apache user, then guess what process can write to it?). But you know what? That does not mean a thing when ignorant users stay logged in as root "in case they need it" rather than using utilities like sudo or su. So yes, Unix has privilege separation but that doesn't mean it is guaranteed. It also allows for dangerous tasks like changing the ownership of (or even the permissions of) the root directory, recursively (if you want a broken system, go for it!). Speaking of file permissions, similar logic applies: privilege separation is only as good as it is allowed by the user.

      I think I know the real point of your post though. I'm guessing you think MacOS is somehow safer and/or superior than other operating systems? Incorrect: it is NOT SUPERIOR and it is STILL VULNERABLE to malware as much as any other OS; that it is targeted less is irrelevant.

      Most importantly it has nothing to do with common sense. Need I point out remote holes as also being an attack vector? Remember Morris? That was malware ("worm") and it used holes in services on the system (many services even), it attacked remotely and it acted like a fork bomb which ultimately led to the systems crawling to their knees. MacOS is still vulnerable to malware, no matter how much anyone wishes to believe otherwise. Same goes for (obviously) other Unix OSs (whether related directly or not). Summarised by Graham himself: there are cases where checks won't be triggered and they don't know how it was transmitted or executed.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.