OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Delivery notice trojan targeting Mac users

Published January 21st, 2014 at 2:48 PM EDT , modified January 21st, 2014 at 2:48 PM EDT

Sophos reported today the discovery of a new Mac trojan, which they are calling OSX/LaoShu-A, that is spreading through fake FedEx delivery e-mails. It’s unknown how widespread these e-mails might be, but this method of infection has the potential to reach a lot of people! Although a savvy Mac user will see the warning signs, many people will probably not understand the implications of those signs and will open the trojan anyway.

The e-mail message evidently contains what looks like a link to fedex.com, but clicking the link downloads what looks like a PDF from a different site. That file, however, is actually an application disguised to look like a PDF file. Fortunately, if the user tries to open the file, they will receive the standard Mac OS X warning that it is an application that was downloaded from the internet, asking for confirmation to open it. This is an instant red flag to savvy Mac users, who will know that this should not be shown for a PDF file, but many people will probably not bother to read the warning carefully and will open the trojan anyway.

Once opened, the malware will proceed to mine your system for any desirable data. It will seek out a number of different file types, compress those files and transmit them off to a command & control server. The malware is also capable of downloading and installing new software and running shell commands, allowing it to be put to other uses in the future.

In all, it’s a nasty piece of malware, but there is a good side… the malware is signed. This allows it to get past the Gatekeeper security on Mac OS X 10.8 (Mountain Lion) and 10.9 (Mavericks). However, it is also this malware’s greatest weakness. Now that it has been discovered, it is only a matter of time before Apple revokes the developer certificate used to sign the malware. The hackers behind it could always release new variants, signed with a new certificate, each time this happens… but at $99 a pop, that will get unmanageable quickly.

Tags: , ,

12 Comments

  • Abdullah says:

    Do you suggest any specific Anti-virus
    I use Bitdefender do you think it’s a good one?

    • Thomas says:

      My recommendations with regard to anti-virus software can be found in my Mac Malware Guide. I’m also working on a new round of anti-virus software testing right now, so keep an eye on my blog for the results when I’m done.

    • Mirabela Dinu, Social Media Manager Bitdefender says:

      Hello, Abdullah.
      Yes, we “catch it”, do not worry.

  • Someone/bentkitty100 says:

    Thomas, you’re working on a new AV test? Great!! I just uninstalled Sophos because someone (I think Linc Davis) on the ASC told me to before upgrading to Mavericks, but I’d love to have a new recommendation 🙂

    • Thomas says:

      Yup, I just finished all the scanning. Tabulation of the data will take some time, though. I’m going to post some preliminary comments shortly, though, as the testing has left me thoroughly pissed off with a number of these supposed “anti-virus” apps.

  • Jay says:

    Looks like the developer ID has been revoked. Unusually quick turn around by Apple.

  • Sean says:

    Hi Thomas,

    Regarding the spam, it’s quite wide spread — it’s part of the same crimeware ecosystem that typically infects Windows (and Android) users. Mac users probably receive this type of spam all the time, but most of the time it doesn’t redirect to a Mac payload. The infection chain is highly commoditized — a well oiled chain. In this particular case, there is a link for Macs. Crimeware spam links to a server that determines OS and then passes the traffic to the appropriate campaign. And the people behind LaoShu are bidding/buying that traffic from the spam gang. If they aren’t actively campaigning… the link will be passed to some webspam, or else just dumped to YouTube or something.

    Regarding the Developer ID, if the campaign is successful, $99 isn’t a very high cost. Also, these guys often use stolen credit cards to buy stuff. Other aspects are certainly unmanageable but cost isn’t probably an issue.

    Also of note, in the LaoShu case, the Developer ID is using a very common English-based name. And I can find several people with that name that work as developers. So perhaps this particular Developer ID was stolen. The iPhoneDevSDK case should have been a clarion call for Mac-based developers to secure themselves from watering hole attacks — but I fear it wasn’t.

    ___

    I’m curious, do you restrict your settings to install apps ONLY from the Mac app store? How often to you install software? For the average user, wouldn’t it be good advice to simply reject all apps unless they come from the app store? And then to toggle the setting for when you need it and are actively installing something. Or would most Mac users find that to be a pain?

    Regards!

    • Thomas says:

      Thanks for the additional info!

      Regarding my Gatekeeper settings, I leave them at the default, because there are certain cases where App Store apps just aren’t good enough. For example, I insist on using the non-App Store version of TextWrangler, because of restrictions that reduce the feature set slightly on the App Store version.

      The most restrictive setting is the safest, though, and the average user may very well be fine with that.

      • Sean says:

        Does the more restrictive setting prevent you from running non-App Store apps, or just installing? What I mean to say is, if you can run the non-App Store version of TextWrangler, but would need to toggle the setting to update — would you consider that to be too much of an annoyance?

        • Thomas says:

          It only prevents you from running an app for the first time. Once run, it should work just fine, even with Gatekeeper on the more restrictive setting. There’s also a way to make a one-time exception for an app, allowing it to run from then on despite the Gatekeeper settings, without changing those settings. How that is done is not very obvious to the average user, though. (Control-click and choose Open rather than double-clicking.) I’m guessing this would work for the most restrictive setting, but I’ve only ever used it to run unsigned apps, so I don’t have first-hand experience that it will.

This post is more than 90 days old and has been locked. No further comments are allowed.