{"id":17895,"date":"2013-09-17T11:04:10","date_gmt":"2013-09-17T18:04:10","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=17895"},"modified":"2016-10-07T12:19:56","modified_gmt":"2016-10-07T19:19:56","slug":"new-mac-trojan-discovered-related-to-syria","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-trojan-discovered-related-to-syria\/","title":{"rendered":"New Mac Trojan Discovered Related to Syria"},"content":{"rendered":"

A new Mac Trojan has been discovered that creates a backdoor on an affected user\u2019s machine. It was found on VirusTotal, sent by a user in Belarus. At the time of writing, the Command and Control (C&C) server is down and no longer sending commands to affected users. This appears to be a targeted attack, though the method of delivery is not yet known. So, while this has been affecting users in the wild, the overall threat level appears to be low.<\/p>\n

The Trojan is an application that is disguised as a picture \u2013 the .app file-extension is not visible by default.<\/p>\n

\"Leverage\"<\/a><\/p>\n

At this time, we are unaware how it is sent to affected users. The malware could likely be sent by email or placed on a website as part of a watering hole attack, for instance. Depending on how the file is received, the behavior of the file in OS X may be slightly different.<\/p>\n

In some cases, there will only be an alert from Gatekeeper if the user clicks on the application if it came from a download with a quarantine bit set. There are several ways of downloading a file that would set the quarantine bit; for example, apps downloaded from the browser or an email client. Apps from other sources, such as file servers, external drives, or optical discs will not set the quarantine bit, unless the apps were originally downloaded from the Internet and had the quarantine bit set at that time.<\/p>\n

When run, the Trojan copies itself to \/Users\/Shared\/UserEvent.app<\/b><\/p>\n

MD5<\/b>\u00a0\u00a0\u00a0 6a36379b1da8919c1462f62deee666be<\/p>\n

SHA-1<\/b> 40b34e91cde683a567974750d1c5c9bcb09a87bb<\/p>\n

\"UserEvent\"<\/a><\/p>\n

It also creates a LaunchAgent in ~\/Library\/LaunchAgents\/UserEvent.System.plist<\/b> to launch the application \/Users\/Shared\/UserEvent.app<\/b><\/p>\n

\"LaunchAgents\"<\/a><\/p>\n

The Mac Trojan hides itself from the Dock and Cmd-Tab Application switching.\u00a0It then opens the JPEG image inside the Application bundle with the standard OS X application Preview, which fools the user into thinking that it was just an image file.<\/p>\n

Once it\u2019s installed, the Trojan connects to the C&C server on port 7777.<\/p>\n

The Trojan application installs a permanent backdoor that allows the attacker to send a variety of commands. In testing, we observed the C&C receiving a variety of system information about the affected machine, sending Pings to monitor the connection, and trying to download the following image file to the machine, among other commands.<\/p>\n

\"syrian<\/a><\/p>\n

Intego VirusBarrier<\/a> with current virus definitions protects Mac users against this malware, detected as OSX\/Leverage.A<\/strong>. While this is known to be affecting users, this is considered to be a low-risk threat at this time, as it appears to be a targeted attack. This rating may be changed as more information comes to light. If possible, it\u2019s advised that users keep all their software, particularly operating system, browsers and browser plugins (such as Flash and Java if applicable) up to date as exploits are common ways for such attacks to spread.<\/p>\n","protected":false},"excerpt":{"rendered":"

A new Mac Trojan has been discovered that creates a backdoor on an affected user\u2019s machine. It was found on VirusTotal, sent by a user in Belarus. At the time of writing, the Command and Control (C&C) server is down and no longer sending commands to affected users. This appears to be a targeted attack, […]<\/p>\n","protected":false},"author":6,"featured_media":8755,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,5],"tags":[30,174,86,635,637,132],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n