Recently Commented On

Is surprise.katespade.com a Scam? - Questions and Answers
- 4 years ago
- Views: 3,033
- 2 Answers

Bobbitt Settlement Administrator Valic Class Action Lawsuit - Questions and Answers

4 months ago
Views: 17,410
135 Answers

806-692-8003 Wells Fargo Text Scam and Telephone Number - Phishing - Scamming - Fraud - Identity Theft

4 days ago
Views: 166
2 Comments

Financial Hardship Department Scam - 833-732-2828 - 833-877-3102 - 833-877-2938 - 833-877-3009, 833-877-1903 - Phishing - Scamming - Fraud - Identity Theft

8 months ago
Views: 29,078
1,211 Comments

USPScd Scam Website at uspscd.com and Text - Phishing - Scamming - Fraud - Identity Theft

6 days ago
Views: 159
3 Comments

Mac OS X Malware Disguised As Word and PDF Documents

Comments: 0
Views: 2,658
Save
Updated: Jul. 18, 2013 2013-07-18T16:23:28
Posted: Jul. 16, 2013 2013-07-16T01:00:58
Online Threat Alerts (OTA)

A new Mac OS malware called "Backdoor:Python/Janicab", disguised as a PDF and Word document has been discovered by internet security software maker, F-Secure. The malware uses the Right-to-Left override (RLO) trick to disguise itself as a PDF and Word document, by hiding the real extension of the file. This will trick someone into believing the file is a document instead of an application.

The RLO is a set of characters designed to support languages that are written right to left, such as Arabic and Hebrew, but can be used to make a malicious application look like a harmless PDF or Word document.

How can a malicious application be disguised as a harmless document?

Here is an example:
If the cybercriminals behind this malware want to disguise the application file “RecentNews.FDP.app”, to make it appear as the PDF document file “RecentNews.ppa.PDF”, all they have to do is put the RLO unicode command for Right to Left override just before the letter “F” in the file name “RecentNews.?FDP.app”. The question sign (?) inidicates where the "Right to Left" character should be placed. This character is known as U+202E in the Unicode encoding standard.

This will make the file appear as if it is a PDF, although it is an application. This is because the last part of the file name (“FDP.app”) will now read from right to left, therefore, making it be displayed as “ppa.PDF” - -RecentNews.ppa.PDF.

If someone opens the file thinking it is a document, the malware will open silently in the background and display a sample document. This sample is a decoy, used to trick the user into believing that they have opened a document.

Once this Mac OS X malware is active on the infected computer, it will continuously spy on the user of the computer by taking screen shots of the computer and record audio through the computer's microphone. These screen shots and audio recordings are then uploaded to the command and control server.

This malware will continuously check the Command and Control server for instructions from the cybercriminals behind this malware.

This malware also goes by the following names:

BackDoor.Janicab.1
Python/Janicab.A
TROJ_GEN.F47V0712
Mal/BredZpRTL-A
Backdoor:Python/Janicab.A

Macintosh computer users must be careful when opening document files like Adobe Acrobat (PDF) or Microsoft Word (DOC). Do not open documents from untrustworthy sources or documents sent as email attachment from unknown senders.

For information about this malware, please click here.

Check the comment section below for additional information, share what you know, or ask a question about this article by leaving a comment below. And, to quickly find answers to your questions, use our search

engine.

Note: Some of the information in samples on this website may have been impersonated or spoofed.

Was this article helpful? +