Security Protection – Harry Waldron MVP Rotating Header Image

Apple Mac OSX – 3 new File Stealing trojan horses found May 2013

Mac OSX users should ensure they have up-to-date AV security controls in place plus carefully process email to bypass suspicious items.

http://www.intego.com/mac-security-blog/two-new-variants-of-backdoor-trojan-found-targeting-activists/

http://www.intego.com/mac-security-blog/yet-another-filesteal-variant-found-today/

QUOTE: New variants of a backdoor trojan named OSX/FileSteal have been found to be targeting activists via targeted email. The trojan is signed using a developer certificate to bypass certain levels of Gatekeeper protection. At the time of writing, the certificate has been revoked and the servers used by the threat have been sinkholed and as such the threat has been effectively neutralized. As new variants could continue to be created, it is best to continue to exercise caution, particularly if you’re in a targeted group.

The backdoor itself is, like previous variants, very basic in functionality. It copies itself to the User’s home folder (whereas the original variant copied itself to the /Applications folder) and adds itself to the user’s login item to be launched on every startup. It does this using the same Applescript as used by the original OSX/FileSteal.A variant. The backdoor silently takes screenshots of the affected user’s machine, which are put it in the ~/MacApp folder. The threat then sends collected screenshots in PNG format to one remote website, and it sends other collected user info to another, separate site. The various sites used by the backdoor are not responding at this time.

Comments are closed.