New Mac malware discovered: OSX/Leverage
Published September 17th, 2013 at 5:21 PM EDT , modified September 19th, 2013 at 5:30 PM EDT
Intego announced the discovery of a new trojan today, which they are calling OSX/Leverage. According to Intego’s observations, it would appear that this malware has some association with the Syrian Electronic Army. What is still unknown is exactly what its goal is, who it is being sent to and how. Like other similar malware that has appeared recently, though, it’s probably being used in targeted attacks on specific individuals or groups.
This trojan pulls the same old trick that numerous others have over the years: pretending to be an image file (a rather tame one, unlike some past malware), in order to trick the user into opening it. Like the KitM malware, it is given a name similar to those given to images created by Nikon cameras. When opened, it will attempt to open an image file in Preview to cover up the shenanigans that it’s up to in the background. (I say “attempt” because this failed in one test. Preview opened, but no image appeared.) The ruse is not entirely successful, though, as there is a very noticeable and suspicious delay between when the file is opened and when Preview actually starts trying to open the image.
What the user is not supposed to notice is the creation of an application named UserEvents.app in the /Users/Shared folder or the creation of a LaunchAgent to keep this application running. It’s important to note that there is a normal process that is part of Mac OS X called UserEventAgent, which is not related to this malware. This is a common malware trick: choosing a name similar to a benign process to avoid causing suspicion.
According to Intego’s analysis, the malware contacts a command & control server and transmits information about the infected machine. It also receives instructions, as well as an image file seemingly linking the malware to the Syrian Electronic Army.
This malware will function in Mac OS X 10.8.5, but only if Gatekeeper is disabled. If the user turns off Gatekeeper entirely, or makes a one-time exception for this app by control-clicking it and choosing Open, it will run just fine. There is a group people unhappy with what they term Apple’s “walled garden,” and they are likely to have disabled Gatekeeper, allowing them to run apps that have been downloaded from anywhere willy-nilly. These people are all currently vulnerable, as no anti-virus software that I am aware of other than Intego’s VirusBarrier currently recognize this as malware.
I’m sure very few people will ever see this in the wild, and fewer will actually be in a vulnerable state. Especially once Apple adds a definition for this malware to their XProtect malware database, at which time not even disabling Gatekeeper will allow it to run.
One interesting note: some security experts have recently called attention to the low-tech nature of the attacks the Syrian Electronic Army has been engaging in. None have been particularly sophisticated, apparently. Examining this malware, I noticed that it appears to have been built using RealBasic. There’s nothing wrong with RealBasic – I have used it to develop applications myself in the past. However, it does have a rather low bar to entry, and would be extremely easy for an amateur programmer to get started with. Is this further evidence that the Syrian Electronic Army is just a bunch of script kiddies? Or are they experienced hackers who choose RealBasic for its ability to allow rapid development and to compile to both Mac and Windows from the same code? I don’t have the answers to these questions, but they are interesting to ponder.
Sept. 19, 2013: Apple has now updated XProtect to detect Leverage and prevent it from launching.
On an interesting side note, I now know why Intego chose to call this malware Leverage… because the photo of the couple kissing is from the TV show on the TNT network called, you guessed it, Leverage! Guess I haven’t paid enough attention to pop culture lately… 🙂