Search This Blog

Powered by Blogger.

Blog Archive

Labels

New Mac Malware 'Janicab' abuses RLO character to hide real extension

What's interesting about this mac malware is the malware abuses the Right-to-Left Override(RLO) character to mas it is extension. However, the method is not new for Windows malware which is abused by Bredolab and other trojans.
A New Mac Malware has been spotted by F-Secure researchers which is capable of continuously taking screenshots and recording audio and uploading them to a remote server.

What's interesting about this mac malware is it abuses the Right-to-Left Override(RLO) character to hide it is real extension.  However, the method is not new for Windows malware which is used by Bredolab and other trojans.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew.

The malware analyzed by F-Secure uses "Recent New.ppa.pdf" as file name for the malicious file. By just looking at the extension, we may think it is just a pdf file, but in reality you are opening an executable .APP file.

Because of the RLO character in the malicious file, the usual file quarantine notification from OS X will be backwards.

file quarantine notification -Image Credits: F-Secure

The actual notification is "RecentNews. Are you sure you want to open fdp " is an application downloaded it" from Internet."

Once it's launched, the malware displays a decoy document while it silently install malicious code in the victim's computer.

According to the F-Secure Malware report, the threat is written in Python and uses py2app for distribution and it is signed with apple Developer ID.
Share it:

Breaking News

IT Security News

Mac Malware

Malware Report