Windows users have been warned time and time again of malware hiding behind icons and extensions belonging to files associated with legitimate software – most notably PDF, DOC and XLS files.
In spite of that, malware peddlers have had a lot success with this simple technique. It is no wonder, then, that they would try to use it on Mac users as well.
F-Secure shared its knowledge about a new dropper Trojan targeting that particular segment of users, disguised as a PDF file.
The researchers think that the sample the have analyzed is a work in progress – a beta version, if you will – of the final product.
They received it from VirusTotal, and believe that the author has uploaded it to the site in order to see how many of the AV solutions used by the popular file checking service will be triggered by it.
The sample they got begins its attack by dropping and opening a PDF file containing a political document in Chinese. In the background, a backdoor is installed which would allow remotely located attackers to access the compromised computer.
“The C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet,” say the researchers.
They also point out that the sample they received does not have an extension or an icon yet.
“However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.”