Last year, a variant of OSX/Imuler has been discovered and masquerades as an innocent PDF Document.
Recently, a new variant of OSX/Imuler has been discovered and masquerading as image files of the popular Russian model Irina Shayk. The malicious application is placed inside a ZIP archive together with other various image files taken from the FHM magazine.
By default, MAC OS X doesn’t display file extensions. As you can see in the image below, the icon with the highlight is the malicious application but to the naked eye it seems that all these files are just image files.
[Figure 1 – Extracted Files from ZIP archive]
When the Mac malware is executed, it attempts to drop and execute a non-malicious image file 704_581660_290687.jpg in the /tmp folder [Figure 2] and it will delete itself. This will cause distraction to the user to hide its malicious activity in the background.
[Figure 2 – Non Malicious Image File]
While the user is convinced that they have opened a harmless PDF document, the malware is already running in the background and attempts to drop and execute the following files:
• /tmp/.mdworker – detected as OSX/Imuler.D
• /tmp/launch-IORF98 – executes the non-malicious JPEG file
• /tmp/CurlUpload – component used to upload files
• /tmp/704_581660_290687.jpg – non-malicious JPEG file
Once OSX/Imuler.D is executed, it will attempt to drop a copy of itself as “checkvir” in /user/%user%/library/LaunchAgents/. It then creates “checkvir.plist” in the /user/%user%/library/LaunchAgents/, to ensure that the backdoor is active on the system.
It contacts the remote server “www.sugarsbutters.com”, and it is capable of performing the following commands:
• Capture the screen
• Upload files to Command and Center
How to Remove OSX/Imuler.C and OSX/Imuler.D:
1) Kill the running process.
Using spotlight, type-in Activity Monitor and filter by searching “.mdworker” and “checkvir”, select it and click Quit Process.
2) Delete OSX/Imuler.C and OSX/Imuler.D files and components.
Go to /tmp/, delete the following files:
Go to /user/%user%/library/LaunchAgents/, delete the following files:
3) Make sure that the “Show all filename extensions” in Finder Preferences is checked so there would be a little chance that you will not fall into the same trap again in the future.
[Figure 3 – Finder Preferences]
Ensure that your Total Defense Products are updated with the latest signatures at all times.