Delivery notice trojan targeting Mac users
Published January 21st, 2014 at 2:48 PM EST , modified January 21st, 2014 at 2:48 PM EST
Sophos reported today the discovery of a new Mac trojan, which they are calling OSX/LaoShu-A, that is spreading through fake FedEx delivery e-mails. It’s unknown how widespread these e-mails might be, but this method of infection has the potential to reach a lot of people! Although a savvy Mac user will see the warning signs, many people will probably not understand the implications of those signs and will open the trojan anyway.
The e-mail message evidently contains what looks like a link to fedex.com, but clicking the link downloads what looks like a PDF from a different site. That file, however, is actually an application disguised to look like a PDF file. Fortunately, if the user tries to open the file, they will receive the standard Mac OS X warning that it is an application that was downloaded from the internet, asking for confirmation to open it. This is an instant red flag to savvy Mac users, who will know that this should not be shown for a PDF file, but many people will probably not bother to read the warning carefully and will open the trojan anyway.
Once opened, the malware will proceed to mine your system for any desirable data. It will seek out a number of different file types, compress those files and transmit them off to a command & control server. The malware is also capable of downloading and installing new software and running shell commands, allowing it to be put to other uses in the future.
In all, it’s a nasty piece of malware, but there is a good side… the malware is signed. This allows it to get past the Gatekeeper security on Mac OS X 10.8 (Mountain Lion) and 10.9 (Mavericks). However, it is also this malware’s greatest weakness. Now that it has been discovered, it is only a matter of time before Apple revokes the developer certificate used to sign the malware. The hackers behind it could always release new variants, signed with a new certificate, each time this happens… but at $99 a pop, that will get unmanageable quickly.