Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Intego uncovers new image-based Trojan, installs backdoor on Macs

Intego uncovers new image-based Trojan, installs backdoor on Macs
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 17, 2013, 07:27 PM
A file that looks like a image file and bears a camera-like filename with the extension not visible by default has been discovered to actually be a rogue application that could install a permanent "backdoor" on Mac systems and triggers Preview to open an image, fooling the user into thinking it was simply an unusual picture file. The purpose of the Trojan appears to be supportive of the hacker Syrian Electronic Army, which is in league with the totalitarian regime of Syria's present government. It is currently considered low-risk for a number of reasons.

The main reason why this new threat is seen as minimal is because the controlling server behind the attack is currently down and is not sending commands to affected users, with US and other law-enforcement authorities likely to assure that it remains inactive. The spread of the Trojan appears to be a targeted attack aimed at certain groups opposed to Syrian President Bashal al-Assad, and isn't seen to be aimed at widespread distribution.

Further, installing the Trojan requires an admin password, alerting users to the fact that the so-called "image" file is in fact an application; genuine image files do not require installation procedures. Finally, Mac users running either OS X Lion or Mountain Lion (10.7 or 10.8, estimated to be around 70-80 percent of the active Mac user base) who have Gatekeeper (or are running an up-to-date anti-malware product) will find the Trojan blocked automatically. Apple may further update its own built-in XProtect anti-malware system (available to Snow Leopard, Lion and Mountain Lion users) to prevent accidental installation and indeed may have already done so; updates to XProtect are done silently without user knowledge.

Intego says that while the Trojan has been spotted "in the wild" among users, and despite the Trojan's attempts to disguise itself, the overall threat level "appears to be low." The Trojan, called OSX/Leverage.A by Intego, disguises itself as a picture file. Once installed by a user with admin privileges, it installs a backdoor that allows an attacker to send a variety of commands, the company says.

It's unclear how the malware was intended to be distributed, but could have been intended for email or placed on a website as part of a "watering hole" attack. Users who try to download the application from a website, through a browser or in email will likely get flagged by Gatekeeper unless the latter has been disabled.

Once installed, OSX/Leverage.A copies itself to the Shared folder in Users as "UserEvent.app" and creates a launch agent so that it is activated at startup. The app shows no sign of appearing in the dock or via Command-Tab, and once inserted opens a JPG file inside the Application bundle calling Preview in an attempt to fool the user that the "picture" is harmless. It then tries to connect to the currently-disabled "command and control" (C&C) server on port 7777.

Intego says that "in testing, we observed the C&C receiving a variety of system information about the affected machine, sending Pings to monitor the connection, and trying to download [a Syrian Electronic Army] image file to the machine, among other commands." The company advises users to keep software, OS versions, browsers and plugins (particularly Flash and Java, if used) up to date, and to avoid supplying a password for any image file downloaded from the web or received in an email.

Professional Poster
Join Date: Jan 2000
Location: Columbus, OH
Status: Offline
Reply With Quote
Sep 17, 2013, 07:58 PM
This will only fool people who don't understand what it means to authenticate and install.
HyperNova Software, LLC
Check out SuperScanner! for the iPad
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Sep 18, 2013, 12:17 AM
While I fully agree with you, never underestimate the ability of some people to be fooled. I learned a long time ago that if "common sense" is your last line of defence, you have no last line of defence.
Charles Martin
MacNN Editor
Dedicated MacNNer
Join Date: Apr 2007
Status: Offline
Reply With Quote
Sep 18, 2013, 03:19 AM
Those of us who set Finder to show all extensions will not be fooled either. "DSCF_1234.jpg.app" is hard to miss.

It's possible Intego is wrong about this. It may not be from the Syrian Electronic Army at all. It could be an intelligence test by white hats, to teach people the dangers of hiding their filenames. One experience is likely to be very educational.
Junior Member
Join Date: Nov 2001
Location: australia
Status: Offline
Reply With Quote
Sep 18, 2013, 03:31 AM
Now they're attacking Macs? Well this time they've gone too far!
_ _ _ _____________ _ _ _
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Sep 18, 2013, 04:20 AM
Just to clarify: neither the article nor Intego says the malware came *from* the SEA, just that it appears to be supportive of that group.
Charles Martin
MacNN Editor
Fresh-Faced Recruit
Join Date: Jun 2013
Status: Offline
Reply With Quote
Sep 18, 2013, 08:23 AM
This is total BS, first the regime is not totalitarian when most the syrians actually want it.
Why would the so called "electronic Syrian army" want with our mac?
This is done by someone and just blame the Syria because it is what people do now, few years ago it was the iraqis. Please Get a life!
Forum Regular
Join Date: Sep 2000
Status: Offline
Reply With Quote
Sep 18, 2013, 11:04 AM
"installing the Trojan requires an admin password" I wish someone would actually read these articles before posting them. Just because someone fooled a user into installing software on their system doesn't qualify it for an article. You could just say, "Dumb users at it again!"
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Privacy Policy
All times are GMT -4. The time now is 01:55 PM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2