OFFICIAL SECURITY BLOG

Weโ€™ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New Mac malware discovered: OSX/Leverage

Published September 17th, 2013 at 5:21 PM EST , modified September 19th, 2013 at 5:30 PM EST

Intego announced the discovery of a new trojan today, which they are calling OSX/Leverage. According to Intego’s observations, it would appear that this malware has some association with the Syrian Electronic Army. What is still unknown is exactly what its goal is, who it is being sent to and how. Like other similar malware that has appeared recently, though, it’s probably being used in targeted attacks on specific individuals or groups.

DSC00117This trojan pulls the same old trick that numerous others have over the years: pretending to be an image file (a rather tame one, unlike some past malware), in order to trick the user into opening it. Like the KitM malware, it is given a name similar to those given to images created by Nikon cameras. When opened, it will attempt to open an image file in Preview to cover up the shenanigans that it’s up to in the background. (I say “attempt” because this failed in one test. Preview opened, but no image appeared.) The ruse is not entirely successful, though, as there is a very noticeable and suspicious delay between when the file is opened and when Preview actually starts trying to open the image.

What the user is not supposed to notice is the creation of an application named UserEvents.app in the /Users/Shared folder or the creation of a LaunchAgent to keep this application running. It’s important to note that there is a normal process that is part of Mac OS X called UserEventAgent, which is not related to this malware. This is a common malware trick: choosing a name similar to a benign process to avoid causing suspicion.

According to Intego’s analysis, the malware contacts a command & control serverย and transmits information about the infected machine. It also receives instructions, as well as an image file seemingly linking the malware to the Syrian Electronic Army.

syrian electronic army logo

 

This malware will function in Mac OS X 10.8.5, but only if Gatekeeper is disabled. If the user turns off Gatekeeper entirely, or makes a one-time exception for this app by control-clicking it and choosing Open, it will run just fine. There is a group people unhappy with what they term Apple’s “walled garden,” and they are likely to have disabled Gatekeeper, allowing them to run apps that have been downloaded from anywhere willy-nilly. These people are all currently vulnerable, as no anti-virus software that I am aware of other than Intego’s VirusBarrier currently recognize this as malware.

I’m sure very few people will ever see this in the wild, and fewer will actually be in a vulnerable state. Especially once Apple adds a definition for this malware to their XProtect malware database, at which time not even disabling Gatekeeper will allow it to run.

One interesting note: some security experts have recently called attention to the low-tech nature of the attacks the Syrian Electronic Army has been engaging in. None have been particularly sophisticated, apparently. Examining this malware, I noticed that it appears to have been built using RealBasic. There’s nothing wrong with RealBasic – I have used it to develop applications myself in the past. However, it does have a rather low bar to entry, and would be extremely easy for an amateur programmer to get started with. Is this further evidence that the Syrian Electronic Army is just a bunch of script kiddies? Or are they experienced hackers who choose RealBasic for its ability to allow rapid development and to compile to both Mac and Windows from the same code? I don’t have the answers to these questions, but they are interesting to ponder.

Updates

Sept. 19, 2013: Apple has now updated XProtect to detect Leverage and prevent it from launching.

On an interesting side note, I now know why Intego chose to call this malware Leverage… because the photo of the couple kissing is from the TV show on the TNT network called, you guessed it, Leverage! Guess I haven’t paid enough attention to pop culture lately… ๐Ÿ™‚

Tags: , , , ,

9 Comments

  • Maxim says:

    I turned off gatekeeper, because can’t lauch LIMBO (game) when its turned on… =(

    • Sid Cannon says:

      Like Thomas said above, with Gatekeeper enabled just control-click the app, in your case Limbo, and a popup should appear where you can tell it to always allow Limbo to run. Then you can play Limbo and have Gatekeeper enabled.

      • Maxim says:

        I know it, but its doesn’t help ๐Ÿ™‚ Before, when gatekeeper was turned on, I receive the message: “LIMBO” is damaged and can’t be opened. You should move it to the Trash.
        I google it, and people said I have to turn off gatekeeper.

        Now I check if the game launch when gatekeeper is on, and its working.

        Thanks.

    • Thomas says:

      You should be able to run Limbo just fine after running it successfully the first time, even with Gatekeeper enabled. If that isn’t the case, the quarantine flag must not be getting cleared appropriately. I would guess that’s because you’re using a non-admin account when playing the game, where you don’t have permission to modify anything in the Applications folder… Try running the game once in an admin account.

  • Al says:

    Apple updated it’s XProtect system on Thursday, 19 Sep at 18:52 GMT to detect this as OSX.Leverage.a

    • Doug says:

      Great to Know! I’m getting rather concerned however that OSX users are going to need more to handle the PUP that are popping up. I mean MSE (Defender) is Microsoft answer and barely can handle the malicious installs let alone PUP.

      • Thomas says:

        Potentially Unwanted Programs (PUPs) are always going to be a problem for any anti-virus system. It’s a fine line to walk, deciding to detect a program that is not actually malware as a PUP. And that’s a line that can get you sued if you’re not careful.

This post is more than 90 days old and has been locked. No further comments are allowed.