Pages

Saturday, 9 December 2017

Mac Malware Hidden Lotus Uses Unicode To Disguise Itself



Researchers have discovered a malware copy for macOS that uses a Roman Unicode character to disguise itself. The malware in question occurs as a PDF file and also has .pdf as an extension. In reality, however, it is an application, which is also displayed by the Finder.

The "d" in .pdf appears not to be a normal d, but a Roman numeric D in lowercase, which shows the number 500. In addition, a Mac application does not need .app as an extension to be treated as an application. An application in macOS is simply a folder with a special internal structure called a bundle. A folder with the correct structure is still a folder, but when it is provided with the .app extension, it immediately becomes an application. The Finder treats it as a single file instead of a folder, and double-clicking starts the application instead of opening the folder.


When double-clicking on a file or folder, LaunchServices will first look at the extension. In the case of a known extension, it is opened with the corresponding application. When it comes to a file with an unknown extension, the user gets the question what he wants to do. However, when it is a folder with an unknown extension, LaunchServices first looks at the bundle structure if it is present. In the case of the now discovered Mac malware, it appears that they have the correct structure of an app. Because the malware actually has an unknown extension, LaunchService looks at the internal structure and therefore considers it as an application.

However, users still get a warning from macOS to see if they want to open an application that comes from the internet, as anti-malware company Malwarebytes says . In case users open the file anyway, they can get infected with the HiddenLotus backdoor. Attackers have access to the system through this backdoor. According to Malwarebytes, HiddenLotus is a variant of the OceanLotus backdoor that was used against Vietnamese Mac users, among others.

Virustotal Link:

https://www.virustotal.com/en/file/f261815905e77eebdb5c4ec06a7acdda7b68644b1f5155049f133be866d8b179/analysis/

MD5:

8a1fe734eb7d49044d8ebc0ef1b9b86f

No comments:

Post a Comment