Intego says that the malware, which they have named OSX/Leverage.A, was submitted to the VirusTotal online malware-scanning service by a user in Belarus, and does not constitute a major threat to most Mac users. However, it is speculated, the attack could have been used in limited targeted attacks.
There are some things about the Leverage Mac Trojan horse which make it more interesting than the norm.
Firstly, it uses a crafty piece of social engineering to dupe victims into activating its code.
The Trojan application is disguised as a digital photograph of a man and a woman kissing. Because Mac OS X does not show file extensions by default (something you should change in both Mac OS X and Windows to avoid precisely this kind of trick!), victims may not realise that they are not viewing an image but running a program instead.
And don’t think that checking your OS X dock or switching between apps using Cmd-Tab will reveal that a program is being run. The Trojan deliberately hides itself from appearing in those places.
As a final act of subterfuge, the Trojan opens a real JPEG image from within the Application bundle, tricking the victim into thinking that it really *was* just an image file after all…
Intego researcher Lysa Myers says it is unclear how the malware is currently being spread:
At this time, we are unaware how it is sent to affected users. The malware could likely be sent by email or placed on a website as part of a watering hole attack, for instance. Depending on how the file is received, the behavior of the file in OS X may be slightly different.
In some cases, there will only be an alert from Gatekeeper if the user clicks on the application if it came from a download with a quarantine bit set. There are several ways of downloading a file that would set the quarantine bit; for example, apps downloaded from the browser or an email client. Apps from other sources, such as file servers, external drives, or optical discs will not set the quarantine bit, unless the apps were originally downloaded from the Internet and had the quarantine bit set at that time.
Once installed, the Trojan horse attempts to communciate with a command and control server on port 7777. Intego reports that the C&C server is currently down and no longer sending commands to infected computers.
However, in testing researchers found it downloading an image of the notorious Syrian Electronic Army hacking group.
So, does this mean the Leverage OS X Trojan was written by the Syrian Electronic Army?
Of course not. Anyone can write a piece of malware which contains images associated with the Syrian Electronic Army, Anonymous or the Battersea Dog’s Home.
Furthermore, the Syrian Electronic Army has made a name for itself by fairly rudimentary phishing attacks on media organisations, embarrassing them by posting tweets supporting the current regime in Syria.
As always, Mac users should remember to protect their computers with up-to-date anti-virus software, and keep your system updated with the latest OS and application security patches.
Oh, and who are the two people kissing in the picture? A quick Google image search answered that question.
It’s Sophie Devereaux and Nate Ford, two characters from the American TV show “Leverage”.
I wonder if the malware authors are fans?
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.