![\"App-Icons](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/09\/App-Icons-3.png\"){kind=icon}
<\/p>\nSecurity researchers have discovered three trojan horse applications, now posted to VirusTotal, which appear to be part of a targeted attack for both Mac OS X and Windows machines.\u00a0Likely found in pirated software distributed via BitTorrent trackers and other sites containing links to pirated software, these trojans act as backdoors on an affected user’s system, and are found bundled with copies of legitimate commercial applications.<\/p>\n
When the files as shown below are run, each tries to contact a Command and Control (C&C) server to await commands from the attacker.<\/p>\n
AppDelete.app.zip
\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 8bbbc10bf35ac5c9ba768462cbf864713ff740fe<\/p>\n
<\/p>\n
Img2icns.app.zip
\nSHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 14bc618b68e17a1ed79bb786e7d33efe21c03b84<\/p>\n
![\"App-Icons2\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/09\/App-Icons2.png\")
<\/p>\n
CleanMyMac.app.zip<\/p>\n
SHA1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 6819dd010b463d30cc94b33547bb4c2d95dd672f<\/p>\n
The .launchd.app application has a simple keylogger that communicates with the C&C server. Persistence is achieved by creating a LaunchAgent, which launches the backdoor .launchd.app at every login:<\/p>\n The backdoor files are removed from the commercial application at the first launch of the backdoor, attempting to hide the trojan’s trail. Affected users cannot effectively see where the backdoor came from after the first launch.<\/p>\n Similar to\u00a0OSX\/Leverage<\/a>, this trojan inhibits the Dock icon and Command-Tab application switching when the backdoor is launched, making it more difficult for a user to spot.<\/p>\n The trojan files’ use a copyright, but it’s poorly written (including a strange character and “Apple” being in lower-case), so it is clearly not by the original authors of the valid apps they try to imitate.<\/p>\n![\"App-Icons\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2013\/09\/App-Icons.png\"){kind=icon}
<\/a>
\nInside each of the application folders we can see the invisible backdoor, .launchd.app, which is copied to the user’s Home folder and launches when the user double-clicks on the trojan application. It also launches the original commercial applications corresponding to the icon used to entice the target, which are embedded in each of the trojan application’s resources, disguising its bad activity.<\/p>\n\n
<\/a>
\nThe Mac variant uses 64 bits code without any code signing, and it is only compatible with OS X versions 10.7 and 10.8.<\/p>\n